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Telepresence  on  the  cheap? 

Businesses  can  reap  80%  to  90%  of  the  benefits  of 
telepresence  via  upgrades  to  existing  videoconference 
gear  at  a  fraction  of  what  they’d  spend  on  brand-new 
telepresence  systems.  Page  10. 


Apple  aims  iPhone  at  corporate  users 

A  host  of  new  features,  such  as  Microsoft 
Exchange  and  Cisco  IPSec  VPN  support,  are 
aimed  at  making  the  iPhone  more  attractive  to 
corporate  users.  Page  20. 
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SPECIAL 

FOCUS: 

Choosing  an  apps 
security  approach 

Payment  Card 
Industry  security 
rules  push  for 
greater  data  pro¬ 
tection.  Page  12. 


Microsoft  director, 
identity  manage¬ 
ment  services 

Microsoft  is  working 
on  a  series  of 
upgrades  to  its  direc¬ 
tory  and  identity 
technologies  in  the 
coming  months  with 
the  goal  of  creating  a 
service-based  identi¬ 
ty  platform.  Page  21. 
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Big  shots 
targeting 
VMware 


BY  JON  BRODKIN 

VMware  is  synonymous  with 
x86  server  virtualization.  It’s 
the  unquestioned  leader  with 
an  80%  marketshare  for  its 
hypervisor. 

But  cracks  are  starting  to 
appear  in  the  armor.  Competitive 
products  are  cropping  up  all 
over  the  place;  Microsoft  is  pre¬ 
paring  an  assault  with  the  up¬ 
coming  release  of  Hyper-V 

Uneasy  lies  the  head  that 
wears  a  crown.  Just  ask  Bill 
Shakespeare  —  or  Bill  Belichick. 

“VMware  is  the  champion  right 
now,  but  it’s  sort  of  like  the  [New 
England]  Patriots,”  says  Laura 
DiDio,  a  Yankee  Group  analyst. 
“When  you  go  18-0,  you’ve  got  a 
bull’s-eye  on  your  back.  Every¬ 
one’s  looking  to  take  you  down.” 

So  if  VMware  is  the  Patriots, 
which  vendor  is  the  Giants? 

The  obvious  choice  is  Micro¬ 
soft.  But  it  could  also  be  Citrix 
Systems  —  or  Sun,  Oracle, Virtual 
Iron  Software,  Novell  or  Red  Hat. 
VMware’s  biggest  vulnerability  is 
pricing, says  DiDio,  who  just  pub¬ 
lished  a  report  on  the  virtualiza¬ 
tion  price  war. 

Less  expensive  is  not  always 
better,  but  VMware’s  product 
retails  for  about  $3,000  per  sock¬ 
et,  while  the  other  virtualization 

See  VMware,  page  18 


Cisco  betting  big  on 
new  edge  router  line 


BY  JIM  DUFFY 

Cisco’s  2008  extreme  makeover  contin¬ 
ued  last  week  with  the  introduction  of  an 
all-in-one  edge-router  line  designed  to  han¬ 
dle  everything  from  deep-packet  inspection 
to  VoIP  traffic  —  and  is  aimed  squarely  at 
one  of  Juniper  Networks’ sweet  spots. 

The  Aggregation  Services  Router  (ASR) 
1000  series,  which  Cisco  spent  five  years 
and  $250  million  developing,  will  handle 
applications  traditionally  supported  by  the 
company’s  aging  7200,  7300  and  10000 
series  routers,  as  well  as  the  firewall  and 
QoS  duties  typically  owned  by  separate 
devices.  Observers  expect  the  ASR  1000 
boxes,  which  have  a  new  operating  system 
and  are  powered  by  a  superfast  processor 


called  QuantumFlow,will  replace  the  older 
routers  eventually 

The  ASR  1000  represents  the  second 
overhaul  of  a  Cisco  product  line  an¬ 
nounced  this  year.  In  January  the  company 
unveiled  the  Nexus  7000,  a  next-generation 
switch  with  built-in  security. 

Some  observers  expect  Cisco  also  to  re¬ 
cast  its  campus-switch  portfolio,  anchored 
by  the  years-old  Catalyst  6500  and  4500 
lines,  to  support  bandwidth-intensive 
applications  such  as  video  and  Web  2.0 
programs. 

FactSet,  a  provider  of  financial  informa¬ 
tion  and  analytic  applications  for  world¬ 
wide  investors,  sees  a  major  consolidation 

See  Cisco,  page  47 


mmm 


Cisco's  ASR  1000 ; 
line  is  intended  to ; 
serve  customers'  i 
WAN-edge  needs  for : 
the  next  10  years,  i 


THE  LINE  FEATURES: 

•  Three  models  with  three,  eight  and  12  shared  port  adapter  slots. 

•  Embedded  services  processor  that  supports  deep-packet  inspection. 
QoS  and  other  services. 

•  Performance  of  4  million  to  8  million  packets  per  second. 

•  New  version  of  I0S  based  on  Linux  kernel. 


CLEAR  CHOICE  TEST:  VoIP  MANAGEMENT 

Tools  boast  new  diagnostic 
and  repair  features 
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CLEAR  CHOICE 

Touchstone’s  WinEyeQ  edges 
ClearSight  Analyzer  in  test  of  five  products 

VoIP  monitoring  tools  have  matured  quite  a  bit  in  the  past  year  or  so.  Products  we 
looked  at  in  past  testing  could  alert  you  when  a  problem  arose,  but  that  wiis  about 
it. Today’s  products  can  tell  you  what  the  problem  is  and  how  to  fix  it.  Page  36. 
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Our  new  innovation  is  so  advanced, 
it’s  virtual. 


The  most  valuable  assets  of  your  business  will  now  be  more  secure, 
thanks  to  the  next-generation  Virtual  PC  Center  from  NEC,  a  global 
IT  and  networking  leader.  Our  new  virtual  PC  thin  client  system  is 
designed  to  enhance  PC  data  security,  reduce  total  cost  of  ownership, 
increase  user  flexibility  and  simplify  IT  management  -  all  while  delivering 
multimedia  support.  NEC,  Empowering  you  through  innovation. 


www.necus.com/vpcc 
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A  billion  reasons  to  love  AT&T 

AT&T  last  week  said  it  will  spend 
$1  billion  in  2008  to  expand  its  IP  net¬ 
works  for  large  businesses,  driven  by 
an  "explosive  surge"  in  data,  voice 
and  video  traffic.  After  a  tough  previ¬ 
ous  week  for  telecom  during  which 
big  layoffs  and  poor  financials  were 
announced,  the  stock  prices  for  tele¬ 
com  equipment  companies  jumped  on 
the  AT&T  spending  news. 

If  you  can’t  trust  antivirus 
software . . . 

If  your  computer  gets  infected  with  a 
Trojan  called  the  "MonaRonaDona 
virus,"  be  careful  with  what  you  use 
to  wipe  it  off,  says  antimalware  soft¬ 
ware  provider  Kaspersky  Lab. 
MonaRonaDona  is  part  of  an  elaborate 
scam  to  sell  fake  antivirus  software, 
researchers  say. 

SNMP  security 
loophole? 

System  administra¬ 
tors  have  long  been 
wary  of  the  security 
implications  of 
Simple  Network 
Management 
Protocol  (SNMP),  but 
a  recent  experiment 
by  “ethical  hacking” 
group  GNUCitizen 
has  shown  that  many 
SNMP-enabled 
devices  are  left 
unguarded  and  may 
be  prone  to  giving 
away  sensitive 
information.  In  a  ran¬ 
dom  scan  of  2.5  mil¬ 
lion  IP  addresses  via 
SNMP,  the  group 
found  that  many 
devices  gave  away 
names,  models  and  in 
some  cases  the 
patch  state  of  the 
operating  system. 


nwcirc@nww.com;  URL:  www.subscribenw.com 
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Tools  have  new 
diagnostic  and 
repair  features 

VoIP  monitoring  tools  have 
matured  quite  a  bit  in  the  past 
year  or  so.  Products  we  looked  at 
in  past  testing  could  alert  you 
when  a  problem  arose,  but  that 
was  about  it.  Today’s  products 
can  tell  you  what  the  problem  is 
and  how  to  fix  it.  Page  36. 

Touchstone’s  WinEyeQ  pro¬ 
vides  a  detailed  display  show¬ 
ing  traffic  sorted  by  protocol, 
packets  ami  bandwidth. 


PEERSAY 


New  wireless  exploits 

Re:  Wireless  security  foiled  by  new  exploits 
(www.nwdocfinder.com/3027): 

Many  SOHO  networks  use  WPA  with  [a  pre¬ 
shared  key] ,  but  few  have  the  skills  to  install 
higher-level  authentication  with  RADIUS 
servers  and  the  like.  A  big  problem  still  is  the 
lack  of  802.  IX  in  the  general  enterprise  net¬ 
work.  Many  times  you  can  go  to  a  corporate 
site  and  plug  an  Ethernet  cable  into  an  open 
port  and  get  a  connection.  Not  very  good  port 
access-control  at  the  basic  level. 

Paul  Lopez 

Discuss  at  www.nwdocfinder.com/3028 

Protecting  against  exam 
cheating 

Re:  A  solution  to  the  braindump  problem  — 
Part  II  (www.nwdocfinder.com/3029): 

My  conclusion  is 
the  problem  is  not 
“braindumping”  at  all 
but  real-time,  rele¬ 
vant,  random  certifi¬ 
cate  verification.  The 
logic  is  that  exam 
cramming  for 

increased  short-term 
memory  retention 
can  be  quickly  identi¬ 
fied  weeks  or  months 
later  very  simply  by 

random  retesting.  Get  the  employer  involved 
in  random  testing.  I  don’t  mean  a  three-year 
term  cycle  but  random  unannounced  test¬ 
ing.  This  is  similar  to  random  drug  testing;  the 
expectation  of  random  testing  reduces  drug 
use. 

Provide  a  program  so  HR  or  IT  department 
managers  can  partner  with  certifying  agen¬ 
cies  and  have  access  to  certificate  award 
databases  and  testing  materials  to  allow  an 
immediate  pre-hire  and  probation-period 
tests.  If  the  certificate  comes  from 
ACMEquickCert.com,  the  pre-hire  test  should 
be  pulled  from  ABCcert  buster.com  or  some¬ 
one  else.  There  is  really  not  much  of  a 
chance  to  prepare  for  every  possible  test 
source  and  test  method,  so  this  can  be  step 


M About  30%  of  the  IT  tech 
field  would  choke  at  their 
next  job  interview  because 
their  short-term  test-prep 
memories  will  fail  them  in  the 
face  of  random  testing.  ** 
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SCAN  THIS  CODE 
with  your  cell 
phone  to  get  the 
latest  IT  network 
news  delivered  to 
your  cellular 
device. 

■  ■  ■■  ■ 

To  get  the  client 
software,  use  your  phone  browser  to 
visit  wap.connexto.com 

For  more  information  on  code  scanning 
see  www.nww.com/codescan 


two  to  resolve  the  problem. 

The  big  problem  is  that  about  30%  of  the  IT 
tech  field  would  choke  at  their  next  job  inter¬ 
view  because  their  short-term  test-prep  mem¬ 
ories  will  fail  them  in  the  face  of  random  test¬ 
ing.  They  will  need  to  know  the  material  or 
face  a  reduced  salary  agreement. 

I  am  not  suggesting  someone  get  fired  for 
scoring  less  on  a  random  test,  but  a  percent¬ 
age  of  their  wages  should  be  in  the  balance. 

Bruce  Carver 

Discuss  at  www.nwdocfinder.com/3029 

Hatred 

Re:  My  top  eight  IT  hates  (www.nwdocfind 
er.com/3030): 

I  would  add  technology  companies  that 
refuse  to  sell  directly  to  customers  but  have 
clueless  resellers  who  don’t  understand  the 
products.  Just  last  month,  I  called  a  manufac¬ 
turer  and  got  referred 
to  a  reseller,  who  had 
me  call  a  contact  at 
the  manufacturer  to 
figure  out  what  prod¬ 
uct  configuration  I 
needed.  This  very 
knowledgeable  guy 
couldn’t  give  me  a 
price,  though,  and 
bounced  me  back  to 
reseller  guy  so  I  could 
play  phone-tag  for 
three  days.  All  manufacturers  who  use  this 
model  should  regularly  have  a  “secret  shop¬ 
per”  call  the  reseller  to  see  just  how  their  prod¬ 
ucts  are  being  represented. 

Jeff  Helm 

Discuss  at  www.nwdocfinder.com/3031 

How  Philly  Wi-Fi  could  work 

Re:  Wi-Fi  fizzles  in  Philadelphia  (www.nw 
docfinder.com/3032): 

I  still  think  it  is  good  concept,  if  a  little  under¬ 
baked.  However,  as  I  said  then  and  still  maintain, 
access  is  just  one-third  of  the  triangle.  The  city 
also  needs  to  provide  content  and  systems. 

Content  is  relatively  easy  these  days;  what  is 
missing  is  a  set  of  templates  and  instruction  to 
give  tourists  and  citizens  a  common  look-and- 
feel  and  strong  experience-oriented  organiza¬ 
tion. 

Systems  is  another  matter.  Free  (or  inexpen¬ 
sive)  Wi-Fi  is  useless  without  a  computer.  Phila¬ 
delphia  needs  to  involve  its  students  in  col¬ 
lecting  and  reconditioning  computers  that 
have  reached  end-of-life  in  the  city  govern¬ 
ment  and  schools.  These  systems  (and  train¬ 
ing)  could  be  provided  to  citizens  at  a  sliding 
cost,  to  encourage  use  of  the  network  and  to 
get  people  online  for  city  services  instead  of 
inline. 

Christopher  Baum 

Discuss  at  www.nwdocfinder.com/3033 
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John  Dix,  editor  in  chief,  Network  World,  118 
Turnpike  Road,  Southborough,  MA  01 772.  Please 
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■  State-sponsored  URL  filtering. 

Richard  Stiennon  writes  in  his  Stiennon  on 
Security  blog,  “I  am  in  the  midst  of  a  four- 
city  tour  of  Australia  speaking  on  cyber 
warfare.  There  is  much  discussion  of 
Australia's  plan  to  require  ISPs  to  filter 
particularly  offensive  content.  For  the  most 
part  this  is  being  touted  as  a  child  protec¬ 
tion  action  on  several  levels,  one  by  block¬ 
ing  access  to  child  pornography  and  two,  by 
limiting  the  things  Australian  children  will 
be  exposed  to.This  policy  is  in  marked  con¬ 
trast  with  the  approach  of  the  US  which  is 
hands-off.  The  idea  being  that  parents  are 
responsible  for  limiting  what  their  children 
are  exposed  to  and  it  is  no  business  of  the 
state  to  be  the  arbiter  of  good  and  bad  con¬ 
tent _ Filtering,  as  practiced  by  China  and 

soon  Australia  is  a  boon  to  network  secu¬ 
rity  vendors.  But  it  is  a  shame  that  it  comes 
at  the  expense  of  reduced  freedom  of  infor¬ 
mation.”  www.nwdocfinder.com/3034 

■  Trend:  Application  delivery  systems 
plunge  into  performance  manage¬ 
ment.  Peter  Sevcik  and  Rebecca  Wetzel 
write  in  their  new  App  Performance  View 
blog,  “Taking  advantage  of  the  measure¬ 
ment  they  must  do  to  improve  application 
performance,  increasing  numbers  of  Appli¬ 
cation  Delivery  System  (ADS)  vendors  are 
adding  performance  management  to  their 
bag  of  tricks.  This  new  trend  will  find  them 
butting  up  against  the  likes  of  NetScout, 
NetQoS,  Compuware,  OPNET  and  Quest 
Software.  In  some  cases  this  could  save  the 
trouble  and  money  of  buying  and  managing 
multiple  solutions.  ADSs  modify  traffic 
flows  by  controlling  which  packets  get  to 
move  (traffic  shaping,  QoS,  etc.)  or  acceler¬ 
ating  the  application  above  the  packet  layer 
(compression,  caching,  etc.)." 
www.nwdocfinder.com/3035 

■  Microsoft  trying  to  out-Google 
Google.  Microsoft  Subnet  blogger  Mitchell 
Ashley  writes,  "It  seems  like  almost  every 
day  that  Google  makes  some  seemingly 
small,  incremental  move  to  gradually  turn  up 
the  heat  on  Microsoft. The  frog,  Microsoft  in 
this  analogy,  though  knows  Google  is  sticking 
it  to  them,  but  they’re  just  too  big  to  make  the 
leap  out  of  the  pot  in  one  jump.  Google  just 
made  available  Google  Calendar  Sync,  a 
Windows  app  that  lets  you  sync  your  primary 
Outlook  calendar  with  Google  Calendar. 
Microsoft  is  trying  to  out-Google  Google  by 
quietly  executing  on  their  own  strategy,  giv¬ 
ing  all  of  us  the  appearance  that  Software 
plus  Services  is  just  a  lame  attempt  at 
rebranding  a  slow  and  lumbering  Microsoft." 
www.nwdocfinder.com/3036 
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Intel  shows  off 
Atom  prototypes 

Intel  shows  off  the 
Atom  processor  and 
prototype  Atom  de¬ 
vices  at  Cebit.The 
devices  should  be  on 
sale  in  the  middle  of 
the  year,  Intel  said. 

www.nwdocfinder.com/3042 


Caroline,  the  self¬ 
driving  car 

Caroline  is  a  self-driving 
car  created  by  members 
of  five  institutes  of  the 
Braunshweig  University 
ofTechnology  in  Ger- 
many.They  turned  a 
Volkswagen  into  a  high- 
tech  machine  that's 
capable  of  driving  on  its 
own. 

www.nwdocfinder.com/3043 


Ballmer  talks  about 
Green  IT,  Yahoo 

Microsoft  CEO  Steve 
Ballmer  covered  a 
range  of  topics  during 
the  company’s  Cebit 
press  conference.  He 
touched  on  green  IT, 
emphasizing  that  the 
company’s  recent  soft¬ 
ware  announcement  has 
a  thread  of  green. 

www.nwdocfinder.com/3044 
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Tantra  Nightclub:  Where  every¬ 
body  knows  your  identity 


Identity  management:  Usually  when 
Calgary,  Alberta,  is  mentioned  in  this 
newsletter  it’s  something  about  Pamela 
Dingle,  doyenne  of  the  Pamela  Project,  but 
not  this  time. This  time  I  want  to  tell  you 
about  a  bar.  Calgary’s  Tantra  Nightclub 
thought  it  had  hit  on  a  way  to  keep  the  vio¬ 
lence  down  by  scanning  patrons’  driver’s 
licenses  as  they  entered.  According  to  a 
story  in  the  Calgary  Sun ,  this  was  Tantra ’s 
way  of  contributing  to  Alberta’s  “Cage  Your 
Rage”  campaign  and  bouncer  training  pro¬ 
gram.  But  the  city’s  Information  and  Pri¬ 
vacy  Commissioner  recently  ruled  that  this 
was  a  privacy  violation  and  could  no 
longer  be  allowed. This  was  applauded  by 
many,  including  Microsoft’s  identity  guru, 
Kim  Cameron.  However,  I’m  going  to  side 
with  the  night  club.  Upfront,  though,  let  me 
say  that  the  objection  1  have  is  to  this 
being  done  without  the  patron’s  knowl¬ 
edge  and  consent. Tantra  should  tell  them 
what  will  happen,  then  leave  it  up  to  the 
individual  to  decide  if  they  want  to  go  in 


(and  provide  their  identity  data)  or  not. 

www.nwdocfinder.com/3038 

Wireless:  In  a  domino-like  manner, starting 
with  Verizon  Wireless,  the  major  U.S.  mobile 
network  operators  recently  created  all-you- 
can-eat  voice  plans  for  about  100  bucks  a 
month.  Given  that  many  businesses  now 
strike  mobile  contracts  for  pooled  minutes  of 
usage  enterprise-wide,  how  beneficial  will 
these  plans  actually  be?  “I  like  having 
options,”  the  telecom  manager  of  a  nation¬ 
wide  manufacturing  company  told  me.’And 
it’s  a  good  plan  if  you  only  have  20  users  and 
they  each  talk  2,000  minutes  per  month.” 
However,  this  particular  company  has  aggre¬ 
gated  its  500  enterprisewide  users  onto  a 
Verizon  Wireless  pooled-minutes  plan  that 
translates  into  the  least-expensive  minimum 
plan  per  user,  per  month.  Doing  the  math,  he 
says,  the  newly  announced  flat  rates  come 
out  to  “about  $60  more  per  month,  per  user 
than  1  pay  now” 

www.nwdocfinder.corn/3039 
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Microsoft  buys  U-Prove 
technology 

Microsoft  hopes  to  beef  up  online  privacy  with  the  acquisition  of  U-Prove 
technology,  the  company  announced  last  week.  U-Prove  was  developed  by 
Stefan  Brands  at  Credentica  as  technology  that  lets  Internet  users  disclose 
only  the  minimum  amount  of  personal  information  when  conducting  electronic 
transactions  as  a  way  to  reduce  the  likelihood  of  privacy  violations.  U-Prove  also 
employs  cryptography  to  prevent  systems  from  pulling  together  information 
about  users  from  various  sources.  Microsoft  did  not  disclose  a  purchase  price  for 
the  technology  which  it  plans  to  integrate  into  Windows  Communication 
Foundation  and  CardSpace.  Brands  has  joined  Microsoft’s  Identity  and  Access 
Group  along  with  his  colleagues  from  Credentica,  Greg  Thompson  and  Christian 
Paquin.  www.nwdocfinder.com/3051 


‘Mebroot’  proves  to  be  a  tough  rootkit 
to  crack.  A  rootkit  uncovered  in  December 
is  proving  to  be  a  real  headache  to  detect, 
according  to  security  company  F-Secure. 
Dubbed  Mebroot,  the  rootkit  infects  the  mas¬ 
ter  boot  record,  the  first  sector  of  a  PCs  hard 
drive  that  the  computer  looks  to  before  load¬ 
ing  the  operating  system.  Because  it  loads 
before  anything  else,  Mebroot  is  nearly  invisi¬ 
ble  to  security  software.“You  can’t  execute 
any  earlier  than  that,”  said  Mikko  Hypponen, 
F-Secure’s  chief  research  officer.  Since 
December,  Hypponen  said  they’ve  seen  alpha 
and  beta  versions  of  the  Mebroot  rootkit  but 
believe  it  has  been  RTMed,  the  term  usually 
used  for  a  legitimate  piece  of  software  that’s 
entered  production  after  testing.  Once  a 
machine  is  infected,  the  hacker  controlling 
the  rootkit  has  control  over  it,  opening  the 
potential  for  a  variety  of  other  attacks. 
www.nwdocfinder.com/3052 

Census  Bureau:  Companies  spend  $251 
billion  on  network  and  computer  tech. 

U.S.  businesses  spent  $251  billion  on  informa¬ 
tion  and  communication  technology  equip¬ 
ment  and  computer  software  in  2006,  an 
increase  of  a  little  more  than  6%  from  2005, 
the  U.S.  Census  Bureau  reported  last  week. 
The  rapid  pace  of  technological  advances  in 
computers,  telephones,  fax  machines  and 
electro-medical  apparatus  and  network  gear 
has  resulted  in  these  assets  being  replaced 
quicker  than  other  types  of  equipment,  the 
bureau  said  in  its  latest  Information  and 
Communication  Technology  Survey  Many 
companies  write  off  the  full  cost  of  these 
assets  during  the  year  of  purchase  rather  than 
depreciating  the  cost  over  two  or  more  years, 
the  study  found. 
www.nwdocfinder.com/3053 

Open  source  robot  does  household 
tasks.  Imagine  a  robot  that  hands  you  a 


beer  and  then 
cleans  your 
kitchen  and  liv¬ 
ing  room.  That’s 
what  start-up 
Willow  Garage  is 
busy  develop¬ 
ing.  Willow 
Garage  is  an 
open  source 
project  that 
wants  as  much 
outside  partici¬ 
pation  as  possi¬ 
ble.  One  of  its 
immediate  goals 
is  to  build  10  robots  and  make  them  avail¬ 
able  to  university  researchers  as  a  com¬ 
mon  platform  that  can  be  tinkered  with 
and  improved.  Willow  Garage  also  will  sup¬ 
ply  “an  open  source  code  base  integrated 
from  the  best  open  source  robotics  soft¬ 
ware  available,”  said  President  and  CEO 
Steve  Cousins  last  week. 
www.nwdocfinder.com/3054 

Patent  reform  tops  BSA’s  legislative 
priorities.  The  Business  Software  Alliance 
wants  the  U.S.  Congress  to  pass  a  patent 
reform  bill  and  executives  at  the  trade 
group  say  they’re  optimistic  that  the  legisla¬ 
tion  will  soon  move  forward  in  the  Senate. 
Patent  reform  heads  up  a  list  of  five  legisla¬ 
tive  priorities  the  trade  group  released  last 
Thursday. The  BSA  wants  Congress  to 
approve  the  Patent  Reform  Act,  which  the 
House  of  Representatives  passed  in 
September,  but  the  legislation  has  been 
stalled  in  the  Senate  because  of  objections 
from  inventors,  pharmaceutical  companies 
and  some  small  tech  firms.  Among  the 
BSA’s  other  legislative  priorities  is  legisla¬ 
tion  that  protects  consumers’  data. 
www.nwdocfinder.com/3055 


Spotlights,™' 

SAP,  Intel  partner  on  new  appli¬ 
ance.  SAP  and  Intel  are  teaming  to  sell 
a  Xeon-based  appliance  geared  to  run 
SAP’s  ERP  software,  the  companies 
announced  at  last  week’s  Cebit  show  in 
Hanover,  Germany.The  appliances  will 
be  loaded  with  SAP’s  Business  All-in- 
One  software  and  its  MaxDB  database, 
along  with  SUSE  Enterprise  Linux  from 
Novell,  and  are  aimed  at  midsize  manu¬ 
facturing,  trade  and  service  industries. 
That  architecture  appears  to  already 
have  some  favor  among  SAP’s  users. 
The  company  released  figures  stating 
that  700  midsize  companies  are  running 
its  SAP  applications  on  Linux,  and  with¬ 
in  that  group,  35%  are  using  MaxDB. 
www.nwdocfinder.com/3048 

Development  model  predicts 
chance  of  software  flaws. 

Researchers  from  a  German  university 
have  developed  a  model  to  predict  pro¬ 
gramming  errors  in  applications.The 
model  analyzes  a  program’s  version  his¬ 
tory  and  bug  reports  and  examines  the 
source  code  to  find  out  how  modules 
within  the  software  interact  with  each 
other.  It  also  looks  at  how  the  develop¬ 
ers  communicated  with  one  another, 
examining  their  e-mail,  instant  message 
conversations  and  forum  discussions. 
Researchers  then  use  statistical  analy¬ 
sis  to  build  the  predication  model,  which 
can  indicate,  for  example,  that  a  section 
of  code  has  a  70%  probability  of  con¬ 
taining  a  defect. The  university’s  work 
has  gained  the  attention  of  software 
giants  SAP  and  Microsoft. 
www.nwdocfinder.com/3049 

Small  scanner  spots  bogus  money. 

A  U.S.  company  has  introduced  a  small 
counterfeit  bill  detector  designed  for 
retail  use  that  can  sniff  out  even  the 
“super  dollar,”  a  convincing  yet  bogus 
$100  bill  allegedly  produced  in  North 
Korea.  In  less  than  a  second,  the  D500 
Super  Dollar  Authenticator  from 
AccuBanker  USA  can  look  at  several 
aspects  of  a  bill  to  confirm  its  legiti¬ 
macy,  including  the  distribution  of  mag¬ 
netic  ink  on  the  paper.  The  magnetic 
map  is  stored  in  the  D500,  as  well  as 
three  other  maps  containing  ultraviolet, 
infrared  and  other  measurements  taken 
from  legitimate  bills,  said  Carlos- 
Andres  Gonzalez,  a  vice  president  of 
sales  for  AccuBanker,  at  Cebit. 
www.nwdocfinder.com/6050 
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HP  StorageWorks  Ultrium 
448  Tape  Drive  SAS  Bundle2 

$1649 

Lease  for  as  low  as  $4l/mo3  for  48  months 
Smart  (PN:  AG739A) 


Check  hp.com  for  the  r 
Smart  m1(PN:  47 


400GB  compressed  capacity  in  half-height 
form  factor 


PC2-5300 


Ships  with  Data  Protector  Express  Software, 
One  Button  Disaster  Recovery,  a  1U 
Rackmount  Kit,  and  a  Host  Bus  Adapter 


or  low-cost 
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Get  the  full  story  in  the  IDC  white  paper  at  hp.com/ go/ sim  1  0 
or  call  1-877-726-8115 


1 .  IDC  White  Paper  sponsoied  by  HP,  Gaining  Business  Value  and  ROI  with  HP  Systems  Insight  Manager,  Doc  #206761 ,  May  2007.  2.  Prices  shown,  are  HP  Direct  prices;  reseller, and  retail  prices  may  vary,  prices1.' 
to  change  and  do  not  include  applicable  state  and  local  taxes  or  shipping  to  recipient's  address.  Offers  cannot  lie  combined  with  any  other  otter  qr  discount  and  are.gorid  whild  supplies  last.  All 
Savings  based  on  HP  published  list  price  ol  configure  to  order  equivalent  ($3207  -  $958  instant  savings  -  SmartBuv  price  $2249).  3,  Financing  available  through  Hewlett-Packard  financial  Services  Company  ijspfFf ' 
commercial  customers  in  the  U.S.  and  subject  to  cicdit  approval  and  execution  ot  standard  HPFS  documentation.  Prices  shown  are  based  on  a  lease  46  months  in  igrm  with  a  fair  market  yaiiie  purchase. Dptfgn  at  lltfttptf 
Rates  based  on  an  original  transaction  size  between  $3,000  and  $25,000.  Other  rates  apply  tor  other  terms  and  transaction  sizes,  financing  available  on  transactions  greater  than  $349  through  April  $0,  ‘ 
right  to  change  or  cancel  these  programs  at  any  time  without  notice.  Intel,  the  Intel  Logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  ot  its '.subsidiaries  In.  the.  United. 
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The  HP  ProLiant  DL380  G5  server  comes  with  Systems  Insight 
Manager  (SIM)  software.  HP  SIM  has  shown  an  average 
reduction  in  server  downtime1  of  77%,  by  monitoring  your  system 
and  alerting  you  of  potential  server  problems  before  they  occur. 

Technology  for  better  business  outcomes. 
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Efficient 
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NEWS  ANALYSIS 


Could  corp.  customers  bail  out  Sprint9 


BY  BRAD  REED 

Last  month,  new  Sprint  CEO  Dan  Hesse  told 
USA  Today  that  his  company  was  considering 
offering  flat-rate  pricing  for  unlimited  voice 
calling  as  a  way  to  shake  up  the  wireless  status 
quo  Just  more  than  a  week  later,  Verizon,  AT&T 
and  T-Mobile  all  beat  Sprint  out  of  the  gate, 
announcing  unlimited  wireless  calling  plans 
starting  at  $99.99  per  month  for  both  con¬ 
sumers  and  businesses. 

Sprint  has  since  tried  to  steal  back  some  of 
the  thunder  from  its  competitors  by  announc¬ 
ing  an  unlimited  “everything”  plan  that  would 
give  customers  unlimited  voice,  data  and  mul¬ 
timedia  services  for  $99.99  per  month.  While 
this  plan  seems  to  be  a  better  bargain  than  the 
Verizon  and  AT&T  plans  —  which  only  offer 
unlimited  voice  services  for  a  monthly  $99.99 
charge  —  it  is  unlikely  to  make  the  big  splash 
that  Hesse  had  initially  hoped  for,  because 
Sprint’s  three  biggest  rivals  came  out  with  their 
own  flat-rate  wireless  plans  more  than  a  week 
before.  As  Hesse  pointed  out  in  his  USA  Today 
interview,  he’d  prefer  that  his  company  be  “on 
the  offensive  rather  than  the  defensive”  and  that 
if  Sprint  can’t  differentiate  itself  from  its  com¬ 
petitors  then  it  “can’t  win.” 

Hesse’s  desire  to  give  the  wireless  market  a 
jolt  is  understandable, because  Sprint  has  been 
stuck  in  a  rut  since  its  2005  merger  with  Nextel. 
Over  the  past  couple  of  years,  Sprint  has  faced 
problems  ranging  from  continued  difficulties 
in  integrating  former  Nextel  users  into  the 
Sprint  network,  a  subpar  marketing  campaign 
and  investor  nervousness  over  the  future  of  its 
$5  billion  WiMAX  investment  to  a  shrinking 
subscriber  base.  Last  week  brought  more  bad 
news  from  the  carrier,  as  it  reported  a  $29.5  bil¬ 
lion  fourth-quarter  loss  that  was  caused  by  a 
write-down  from  the  2005  Nextel  merger  and 
an  ever-shrinking  customer  base.  Additionally 
rumors  have  been  swirling  that  Qwest  will 
soon  switch  its  wireless  service  provider  from 
Sprint  to  Verizon  to  increase  the  quality  of  its 
cell  phone  offerings. 

Gan  enterprise  services  lift  Sprint? 

But  even  with  all  this, a  Sprint  comeback  isn’t 
completely  out  of  the  realm  of  possibility  Some 
analysts  think  that  there  are  enough  unmet 
demands  in  the  wireless  telecom  market  for 
Sprint  to  carve  out  a  niche  for  itself  and 
improve  its  standing  as  a  brand.  Forrester  ana¬ 
lyst  Lisa  Pierce,  for  instance,  thinks  that  Sprint 
could  “cause  significant  nightmares  for  com¬ 
petitors”  by  refocusing  its  commitment  to 
enterprise  customers  and  billing  itself  as  a 
backup  carrier  for  business  sites  that  use 
incumbent  carrier  T1  services. 

Pierce  acknowledges  that  this  sounds  coun¬ 
terintuitive,  because  being  a  backup  provider 
typically  “doesn’t  generate  a  lot  of  revenue,”  but 
she  says  it  could  offer  a  foot  in  the  door  for 


businesses  that  are  “frustrated  with  [incumbent 
local  exchange  carriers]  and  anxious  for  alter¬ 
natives.”  The  best  way  for  Sprint  to  accomplish 
this  would  be  to  use  Xohm,  which  serves  as 
Sprint’s  planned  WiMAX  service,  as  a  primary 
fixed-line  access  service  that  could  support 
both  voice  and  data. 

“For  this  to  make  financial  sense  for  Sprint,  a 
company  would  have  to  commit  to  putting 
minutes  and  megabytes  over  Xohm,  and  move 
from  a  secondary  to  primary  access  arrange¬ 
ment,”  she  says,  although  she  adds  that  this  plan 
could  lead  to  a  shortage  of  WiMAX  spectrum 
on  a  local  basis,  because  consumer  mobile 
Xohm  applications  would  have  to  contend  for 
spectrum  with  the  business  users. 

Nemertes  Research  analyst  Mike  Jude  also 
thinks  Sprint  could  rework  how  it  delivers  ser¬ 
vices  to  enterprise  customers  by  expanding 
the  scope  of  wireless  business  services  beyond 
the  basic  voice  and  limited  data  offerings  cur¬ 
rently  provided  for  mobile  workers. 

“If  I  were  running  Sprint,  I  would  get  together 
with  a  company  like  IBM  Lotus  or  Google,”  he 
says.“And  I  would  put  together  a  killer  collabo¬ 
ration  application  suite  armed  with  some  good 
business  productivity  tools,  and  I  would  pack¬ 
age  it  with  a  reasonable  access  plan  aimed  at 
small  and  medium  business  users.” 

Jude  says  that  a  collaboration  package 
between  Sprint  and  a  company  that  has  a 
strong  reputation  for  designing  business  appli¬ 
cations  could  be  “a  real  winner  if  it  were 
designed  to  run  on  broadband  wireless  and 
were  offered  as  a  service.” 

Think  small  for  big  results 

Others  think  that  Sprint  is  already  moving  in 
the  right  direction  to  retake  portions  of  the  con¬ 
sumer  market,  and  that  it’s  only  a  matter  of  time 
before  its  upcoming  slate  of  services  starts  to 
have  an  impact.  Gartner  analyst  Tole  Hart  says 
that  Sprint  could  cut  its  “flat-rate  everything” 
rate  down  by  offering  unlimited  in-house  cov¬ 
erage  for  families  who  purchase  femtocells, 
which  are  devices  that  use  short-range  cell 
phone  frequencies  to  route  wireless  calls 
through  a  home  broadband  connection.  Last 
year,  Sprint  rolled  out  its  Airave  devices  in 
Denver  and  Indianapolis,  marking  the  first  time 
a  major  carrier  has  sold  femtocells  in  metro¬ 
politan  markets. 

Hart  says  the  advantages  for  Sprint  are  obvi¬ 
ous,  because  femtocells  route  calls  through  IF? 
thus  freeing  up  more  space  on  Sprint’s  wireless 
network.  With  more  capacity  on  its  network, 
Hart  notes,  Sprint  could  offer  some  reasonably 
priced  flat-rate  family  wireless  plans  that  would 
appeal  to  families  who  struggle  with  frequent 
overage  charges. 

“Fteople  would  basically  like  that  because 
they  wouldn’t  have  to  worry  about  teenagers 
going  over  on  minutes,”  Hart  says.'That’s  some¬ 


thing  that  could  definitely  have  traction  in  the 
market.” 

Sprint  also  could  get  a  boost  if  it  is  successful 
in  its  new  negotiations  with  Clearwire  to  create 
a  nationwide  WiMAX  network.  Although  the 
two  companies  had  broken  off  their  plans  to 
build  a  jointly  operated  network  late  last  year, 
they’ve  recently  begun  talking  again,  and  Intel 
is  rumored  to  be  investing  more  than  $2  billion 
in  the  venture.  ■ 


InBrief 


Gates:  No  longer  world’s 
richest  according  to  Forbes 

Microsoft  Chairman  Bill  Gates  fell  to  third 
place  on  Forbes'  2008  list  of  the  world's 
richest  people  after  13  years  at  No.  1,  due 
largely  to  Microsoft’s  bid  forYahoo.The 
magazine  blamed  Gates'  decline  to  the  slide 
in  Microsoft  shares  from  the  day  before  the 
company  announced  a  $44.6  billion  offer  to 
buy  Yahoo,  Jan.  31,  to  the  day  Forbes  calcu¬ 
lated  stock  prices  into  its  rich  list  valua¬ 
tions,  Feb.  11.  Had  Microsoft  shares  not 
declined  so  much,  Gates  would  have  been  in 
a  close  race  with  investing  mogul  Warren 
Buffett  for  the  top  spot  on  the  list,  Forbes 
said.  Buffett  took  over  as  the  world's  richest 
man  this  year  with  an  estimated  $62  billion 
fortune,  while  Mexican  communications 
industry  leader  Carlos  Slim  Helu  came  in 
second  with  $60  billion.  Gates’  fortune  was 
valued  at  $58  billion. 

House  panel  kills  controversial 
copyright  provision 

A  U.S.  House  of  Representatives  subcom¬ 
mittee  has  stripped  out  a  provision  in  a 
copyright  enforcement  bill  that  would  have 
increased  fines  by  10  times  or  more  for 
compilation  CDs  containing  pirated  music. 
Critics  of  the  original  version  of  the 
Prioritizing  Resources  and  Organization  for 
Intellectual  Property  Act  had  complained 
that  one  provision  would  assess  fines  for 
each  separate  copyright  work  on  a  compila¬ 
tion  work  such  as  a  CD,  meaning  the  fines 
fora  10-song  compilation  CD  would  range 
from  $7,500  to  $1.5  million,  instead  of  the 
current  $750  to  $150,000.  While  the  contro¬ 
versial  provision  has  been  stripped,  the 
PRO  IP  Act  would  still  increase  other 
penalties  for  copyright  infringement,  includ¬ 
ing  a  doubling  of  damages  in  counterfeiting 
cases,  with  the  maximum  penalty  for  a 
counterfeiting  offense  rising  to  $2  million. 
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solid  state  reliability 


SAMSUNG 

FlashSSD 


Samsung  Solid  State  Drive 

all-Flash  drives  available 
in  notebooks  and  consumer  electronics 

weight  (2.5”  SATA-II  SSD)  73g 

endurance  (MTBF')  >  2  million  hours 


Introducing  the  new  Samsung  Flash  Solid  State  Drive  (SSD). 

No  moving  parts,  except  some  hardworking  electrons.  A  Mean  Time 
Between  Failures  (MTBF)  almost  three  times  longer  than  a  hard  drive. 
Exceptional  shock  resistance.  And  power  use  that  extends  battery 
life  up  to  20%.  With  a  Samsung  SSD  inside  your  notebook,  your 
data  is  always  there  when  you  need  it. 


shock  resistance  1 500G  /  0.5ms 

read  speed  1 00MB  /  s 


www.samsungssd.com 


write  speed  80MB  /  s 

active  power  consumption  1 W 

operating  temperature  -25C  -  85C 


w 


'Mean  Time  Between  Failures 
©  2008  Samsung.  All  rights  reserved. 
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Using  telepresence  on  a  budget 

Adding  telepresence  features  doesn’t  mean  ripping  out  videoconference  gear 


BY  TIM  GREENE 

Businesses  can  reap  80%  to  90%  of  the  bene¬ 
fits  of  telepresence  via  upgrades  to  existing 
videoconference  gear  at  a  fraction  of  what 
theyd  spend  on  brand-new  telepresence  sys¬ 
tems,  according  to  an  analyst  firm  specializing 
in  unified  communications. 

“You  don’t  have  to  spend  $200,000  to  get 
good  image  quality  You  don’t  have  to  spend 
$170,000  to  get  a  panoramic  view.  You  can  do 
this  much  less  expensively  says  Ira  Weinstein,  a 
partner  at  Wainhouse  Research. 

Instead,  companies  already  using  videocon¬ 
ference  equipment  can  selectively  upgrade  it 
to  boost  the  illusion  that  participants  are  all  in 
the  same  room,  which  is  one  of  the  main  goals 
of  telepresence. 

For  example,  audio,  not  video,  is  the  most  im¬ 
portant  factor  in  whether  a  videoconference 
discussion  is  satisfying,  Weinstein  says,  so  a 
business  could  pick  the  most  used  videocon¬ 
ference  rooms  and  add  $2,000  worth  of  micro¬ 
phones  in  tabletops  and  speakers  in  ceilings  to 
improve  the  sound. 

“The  moment  you  do  that  you  will  have  a 
massive  improvement  in  the  experience,  yet 
you  spent  only  a  couple  of  thousand  dollars,” 
he  says.“You  didn’t  have  to  go  to  telepresence 
to  improve  your  audio.  With  a  little  money  you 
can  make  a  big  difference.” 

Similarly  businesses  can  improve  video  by 
installing  bigger  screens  to  boost  the  size  of  the 
images  of  participants.  “You  spend  $7,000  on 
the  screen  and  installation  and  suddenly 
instead  of  half-life-size  images  of  people  you 
can  get  full-size, ’’Weinstein  says.That’s  a  lot  less 
than  $150,000  or  $200,000,  yet  you’ve  made  a 
significant  improvement.” 

But  there  are  those  that  want  the  ideal 
telepresence  experience.  Anthony  Knight,  a 
service  delivery  manager  for  Pfeizer  Ltd.  in 
the  Netherlands,  says  his  firm  is  buying  into 
telepresence  even  though  it  already  has  55 
videoconference  rooms. 

“We  get  the  room  done,  put  in  video  equip¬ 
ment,  and  then  there’s  no  money  for  wall  cov¬ 
erings  and  furniture.Telepresence  includes  the 
money  to  get  the  room  right,”  Knight  says. 

That  demonstrates  a  need  for  telepresence, 


IT  Buyer’s  Guides 

Compare  products  and  get  up-to- 
date  buying  tips,  market  trends,  best 
practices,  tech  primers  and  more  on 
dozens  of  networking  topics  at: 

www.networkworld.com/buyersguides 
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but  something  less  can  be  adequate.There  is 
a  place  for  turnkey  telepresence  offerings 
from  Cisco,  Polycom,  Tandberg,  HR’ Weinstein 
says.  “But  you  don’t  need  the  telepresence 
level  of  communications  in  every  conference 
room.  You  can  apply  those  concepts  to  your 
videoconferencing  deployments  and  enjoy  a 
better  experience.” 

Tweaking  lighting,  camera  angles,  decor  and 
bandwidth  can  make  a  significant  difference 
relatively  inexpensively  he  says. 

For  instance,  telepresence  conference  rooms 
built  by  some  vendors  call  for  identical  furni¬ 
ture,  wall  coverings  and  even  room  size.  But  the 
illusion  can  be  maintained  without  buying 
identical  tables  and  chairs  and  shipping  them 
around  to  all  sites  or  using  lighting  consultants 
to  perfect  the  ambience,  he  says.  Available 
chairs  and  conference  tables  at  each  site  can 
serve  just  as  well. 

Corporations  will  find  they  want  to  preserve 
their  videoconferencing  gear  for  other  rea¬ 
sons, Weinstein  says. 

Videoconferencing  generally  uses  one 
screen  per  site  that  can  be  divided  into  many 
segments  to  accommodate  images  from  many 
other  sites.  Rooms  can  vary  from  auditoriums 
with  hundreds  of  attendees  to  private  offices 
with  one  participant,  so  images  of  individuals 
can  vary  greatly  in  size. 

By  contrast,  telepresence  seeks  a  consistent 
experience  at  all  sites  by  using  multiple  video 
screens  (usually  three)  to  create  a  panoramic 
view  of  participants  at  other  locations  and  to 
generate  life-size  images  of  them,  he  says. 

“Videoconferencing  favors  flexibility  so  you 
don’t  get  consistency  Weinstein  says.  “Tele¬ 
presence  favors  consistency 

Because  of  camera  and  seating  restrictions, 
participation  in  teleconferences  is  limited  to 
six  or  eight  people  per  site.  Accomplishing  this 
requires  high-bandwidth  connections  —  usu¬ 
ally  3M  or  4Mbps  —  and  a  single  vendor’s 
equipment  to  all  sites,  which  limits  what  sites 
can  meet  with  what  other  sites.  Interoperability 
in  telepresence  is  all  but  nonexistent. 

Telepresence  also  offers  a  wide  view  of 
remote  rooms,  which  are  lighted,  arranged, 
decorated  and  furnished  to  give  the  illusion 
that  they  are  an  extension  of  the  room  each 
participant  is  actually  sitting  in. 

With  videoconferencing,  bandwidth  require¬ 
ments  can  be  a  few  hundred  kilobytes,  and 
technologies  can  include  dedicated  links,  IB 
even  dial-up  ISDN,  so  access  is  flexible.  Stan¬ 
dards  are  well  established  so  each  site  can 
generally  connect  with  most  other  sites 
regardless  of  which  vendor’s  equipment  is 
used  at  each  location. 

Businesses  that  want  telepresence  but  have  a 
tight  budget  don’t  have  the  option  of  down- 


Telepresence  vs. 
videoconferencing 

Conferences  providing  voice, 
video  and  data  screens  can  be 
accomplished  with  videoconferencing 
and  newer,  more  realistic  and  more 
expensive  telepresence,  but  there  are 
other  important  differences. 

Telepresence 

Pros 

•  Full-size  images  of  participants. 

•  High-definition  sound  and  video. 

•  Consistent  sense  of  being  in  the  same 
room  and  looking  each  other  in  the  eye. 

Cons 

•  Expensive. 

•  Requires  high  bandwidth. 

•  Requires  rigidly  specified  rooms,  decor, 
furniture  and  lighting. 

•  Supports  limited  participants. 

Videoconferencing 

Pros 

•  Costs  less. 

•  Has  flexibility  via  well  established 
interoperability  standards. 

•  Accommodates  low-bandwidth  links. 

•  Accommodates  high  numbers  of 
participants. 

Cons 

•  Screen  size  and  image  quality  vary. 

•  Sound  quality  can  be  spotty. 

•  No  sense  of  being  in  the  same  room 
with  remote  participants. 


grading  elements  of  a  telepresence  package, 
Weinstein  notes.“You  can’t  tell  Fblycom  I  want 
this  for  $180,000  less  so  give  me  cheaper 
codecs  or  cheaper  screens,”  he  says. 

But  companies  with  an  investment  in  video- 
conferencing  facilities  have  options  to  up¬ 
grade  the  pieces  that  will  bring  about  the  most 
improvement  and  approach  the  level  of  telep¬ 
resence,  he  says. 

“Your  job  as  a  conferencing  manager  is  to 
find  that  balance  where  you’re  spending  what 
you  need  to  spend  yet  you’re  making  a  big  dif¬ 
ference,”  he  says.  ■ 


10  •  MARCH  10,  2008  •  www.networkworld.com 


microsystems 


Solaris"  is  open  source  and  free. 
It  runs  on  IBM,  HP  (and  Sun,  too.) 
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With  Solaris; you  can  do  a  lot  more.  Add  reliability  and  data  integrity  to 


your  databases.  Confidently  deploy  a  secure,  scalable  Web  infrastructure. 
Plus,  you  can  run  Solaris  on  over  880  x86  Platforms  and  still  benefit  from 


Sun's  24/7  world-class  support. 

Learn  more,  download  or  get  your  free  DVD  today  at  sun.com/getsolaris 
And  join  the  Solaris  open  source  project  at  opensolaris.org 
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Call  youi  local  Sun  Sales  Representative,  Sun  Authorized  Partner  or  1888)516-9362. 
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SPECIAL  FOCUS:  SECURITY 


Choosing  an  apps  security  approach 

Payment  industry  security  rules  push  for  greater  data  protection 


BY  ELLEN  MESSMER 

Application  security  is  getting  a  new  push  as  rules  governing  the 
Payment  Card  Industry  mandate  that  many  businesses  undergo  a 
software  code  review  or  make  use  of  a  Web  application  firewall 
starting  later  this  summer. 


“Application  security  is  high  on  every¬ 
body’s  radar”  says  Brad  Friedman,  CIO  at 
Burlington  Coat  Factory  which  like  other 
businesses  that  handle  customer  payment 
cards  is  obligated  to  comply  with  PCI  secu¬ 
rity  guidelines  (www.nwdocfinder.com/ 
3021).  For  Friedman,  who  says  his  company 
has  locked  down  PCs  and  point-of-sale  de¬ 
vices  in  its  400  stores,  the  concern  remains 
how  to  avoid  the  kind  of  credit-card  data- 
breach  fiasco  that  TJX  had  last  year. 

But  the  question  is:  Which  of  these  soon- 
to-be  PCI-required  approaches  to  take?  And 
even  if  you’re  not  required  to  go  with  one  of 
these  approaches,  does  either  of  them  really 
do  the  trick? 

Code  analysis  pros  and  cons 

There’s  a  wide  range  of  tools  and  services 
(www.nwdocfinder.com/3022)  that  help 
automate  code  analysis  for  the  purpose  of 
finding  security  flaws  in  applications,  includ¬ 
ing  those  from  Fortify  Software,  Klocwork 
and  Veracode.  And  there  are  application- 
penetration  testing  tools,  such  as  the  Core 
Security  Technologies’  Core  Impact  software, 
which  uses  an  agent-based  approach. 

Many  security  experts  point  out,  howev¬ 
er,  that  automated  code  analysis  has  its 
limits,  especially  when  it  concerns  finding 
flaws  in  the  underlying  business  logic  of 
an  application. 


Keeping  an  eye  on  things 


“Source-code  analysis  won’t  find  all  secu¬ 
rity  vulnerabilities,”  acknowledges  Brian 
Chess,  chief  scientist  at  Fortify  which  makes 
tools  for  static-code  analysis  and  real-time 
analysis  of  applications.  “It  will  find  a  lot  of 
vulnerabilities  that  can  be  exploited 
through  buffer  overflows,  cross-site  scripting 
and  SQL  injection.  But  source-code  analysis 
can’t  tell  you  about  business  logic  flaws.  It 
can’t  find  design  flaws.” 

Others  agree.  “Closed  source  or  open 
source,  it  comes  down  to  the  programmer 
and  their  psychology?’  says  Joe  Stewart, 
senior  security  researcher  at  Atlanta-based 
SecureWorks.  “Code  inspection  will  find 
common  mistakes,  such  as  buffer  overflows. 
But  finding  errors  in  logic  is  much  harder.” 

Business  logic  flaws  often  are  made  in  the 
design  of  an  application’s  authentication 
process, Stewart  says.“Suppose  it  checks  one 
letter  at  a  time  —  it  gives  attackers  a  clue,”  he 
says.“Or  a  logic  bug  may  involve  giving  peo¬ 
ple  access  to  something  they  shouldn’t 
have.  Programmers  may  skip  over  the  criti¬ 
cal  checks  so  they  can  do  it  faster? 

Stewart  adds  that  another  common  error 
in  writing  code  for  the  Web  is  putting  the 
public  backup  of  a  file  in  a  public  directory 
that  can  be  read  on  the  Web,  allowing  an 
attacker  to  download  PHP  code  to  read  the 
mistakes  in  the  code. 


Web  application  firewall  pros  and  cons 

Web  application  firewalls  (also  called 
application-layer  firewalls)  are  generally 
regarded  as  an  appliance,  server  plug-in  or 
filter  that  can  apply  a  set  of  security  rules  to 
the  back  and  forth  of  HTTP  traffic  to  identify 
and  block  certain  types  of  attacks. 

Reading,  Pa.-based  Sovereign  Bank,  with 
800  retail  locations  plus  Internet  banking, 
uses  the  WebDefend  Web  application  fire¬ 
wall  from  Breach  Security  Web  Security 
Manager  Aron  Weaver  says  the  product  is 
useful  for  learning  about  the  defects  in  an 
application  while  it’s  running,  such  as  spot¬ 
ting  where  a  SQL  injection  or  cross-site 
scripting  attack  might  occur  due  to  a  pro¬ 
gramming  error. 

“Web  application  firewalls  will  block  the 
malicious  traffic,  and  it  gives  you  time  to  cor¬ 
rect  the  code,”  Weaver  says. 

Sovereign  Bank  also  uses  its  Web  applica¬ 
tion  firewall  to  watch  outbound  traffic  to  de¬ 
tect  suspicious  activity  involving  customer- 
account  numbers.  In  addition,  the  bank 
deploys  periodic  scanning  from  SPI 
Dynamics  to  look  for  vulnerabilities.  But 
Weaver  says  his  impression  is  it  only  catches 
a  small  portion  of  the  application  problems 
because  these  techniques  don’t  find  the  mis¬ 
takes  in  business  logic. 

“For  instance,  it  might  be  where  two  sys¬ 
tems  are  handing  off  data  to  each  other,  and 
the  way  the  authentication  flows  from  one 
to  another  fails  in  the  application,”  Weaver 
says.  These  sorts  of  business-logic  mistakes 
are  dug  out  through  a  lot  of  manual  testing 
and  code  review,  he  adds. 

“Web  application  firewalls  are  good  for 
finding  technical  vulnerabilities,”  says 
Danny  Allen,  director  of  security  research  at 
IBM  Rational,  which  makes  the  Rational 
AppScan  tool  for  analyzing  software  holes. 
“But  the  other  kind  of  problem  is  in  the  busi¬ 
ness  layer  in  the  logic.  This  needs  to  be 
addressed  in  collaboration  between  the 
security  team  and  the  development  team. 
It’s  about  education  in  building  applica¬ 
tions,”  he  says. 

Ed  Adams,  CEO  at  Security  Innovations,  a 
consultancy  specializing  in  application 
security  risk  assessment,  also  sees  poor  cod¬ 
ing  practices  as  the  central  problem. 

“The  bigger  problem  is  the  insecure  way 
that  applications  are  coded  today’  he  says. 
“Web  application  firewalls  catch  a  lot  of  the 
low-hanging  fruit,  like  a  SQL-injection  attack. 
But  they  don’t  catch  business-logic  attacks.” 

Some  of  the  most  egregious  business-logic 
See  Security,  page  13 


A  look  at  frequency  of  security  reviews  conducted,  by  type,  according 
to  a  Deloitte  survey  of  169  financial  institutions. 


Quarterly 

Semi- 

Annually 

Annually 

Ad  hoc 

Never 

VULNERABILITY  SCANNING 

38% 

11% 

18% 

26% 

7% 

PENETRATION  TESTING 
(INTERNALLY) 

18% 

12% 

26% 

28% 

16% 

PENETRATION  TESTING 
(EXTERNALLY) 

16% 

16% 

34% 

24% 

10% 

APPLICATION  SECURITY 

7% 

1% 

8% 

61% 

23% 

CODE  REVIEW 


12  •  MARCH  10,  2008  •  www.networkworld.com 


NEWS  ANALYSIS 


Tech  leaders  scramble  for  IT  talent 


BY  DENISE  DUBIE 

BOSTON  —  Massachusetts  tech  leaders  are 
working  to  get  ahead  of  the  “quiet  crisis”  IT 
management  will  face  in  a  few  years  when 
scores  of  IT  staff  retire. 

“We  have  more  than  2,000  IT  professionals  in 
the  commonwealth,  and  30%  are  going  to 
retire  within  five  years.The  changing  workforce 
is  dramatic,  both  in  demographics  and  skill 
sets,”  said  Anne  Margulies,  assistant  secretary 
and  CIO  for  the  commonwealth  of  Mass¬ 
achusetts.  “The  people  we  have,  all  have  to  be 
retrained. This  is  the  quiet  crisis  in  IT  manage¬ 
ment,”  she  added. 

Margulies  told  attendees  last  week  at 
research  firm  Input’s  State  Executive  Breakfast 
in  Boston  that,  because  of  her  previous  work 
experience  at  the  Massachusetts  Institute  of 
Technology  and  Harvard  University  she  also 
realizes  the  number  of  computer  science  grad¬ 
uates  is  dwindling. The  imminent  retirement  of 
baby-boomer  IT  workers  and  students’  loss  of 
interest  in  IT  have  tech  leaders  at  public  and 
private  organizations  looking  for  talent  now  to 
avoid  being  resource  constrained  in  the  future. 

“Even  at  MIT,  enrollment  in  computer  science 
programs  is  steadily  declining,  due  to  outsourc¬ 
ing  concerns  and  the  dot-com  bust.  We  have 


BY  GRANT  GROSS,  IDG  NEWS  SERVICE 

AT&T  will  spend  $1  billion  in  2008  to  expand 
its  IP  networks  for  large  businesses,  driven  by 
an  “explosive  surge”  in  data,  voice  and  video 
traffic,  the  company  said  last  week. 

AT&T’s  2008  investment  in  its  enterprise  net¬ 
works  will  be  a  33%  increase  from  2007  and 
more  than  double  its  investment  in  2006,  the 
company  said. 

Among  AT&T’s  2008  network  expansions: 

•  Added  under-the-sea  fiber-optic  cable 
capacity  to  Japan  and  other  parts  of  Asia,  as 
well  as  to  the  Caribbean.  AT&T  plans  to  invest 
in  multiple  under-the-sea  cable  systems  to 
Southeast  Asia  and  Australia,  and  import  exist¬ 
ing  cable  servicing  India  and  the  Middle  East. 

•  New  multi-protocol  label  switching  (MPLS) 
routers  in  Europe,  Asia  and  the  United  States, 
with  new  or  additional  MPLS-based  IP  network 
access  nodes  in  Paris,  Russia,  Kuwait,  India, 
Japan  and  other  countries. 

•  Enhanced  Ethernet  network  capabilities, 
including  the  rollout  of  a  global  virtual  private 
LAN  product,  initially  in  the  United  States, 
Europe  and  the  Asia-Pacific  region.  AT&T  plans 


WORKERS  WANTED 

Close  to  60%  of  749  C-level  execu¬ 
tives  reported  to  the  IT  Governance 
Institute  that  an  insufficient  num¬ 
ber  of  IT  staff  poses  a  continuing 
problem  in  their  organization. 

fewer  computer  scientists  in  our  schools,  and 
the  supply  is  going  to  be  down  when  the 
demand  will  be  way  up  in  a  few  years,” she  said. 

Margulies  included  recruiting  new  IT  talent 
among  her  top  five  priorities  as  Massachusetts’ 
technology  leader.  The  commonwealth  has 
partnered  with  the  University  of  Massachusetts 
Boston  to  develop  courses  and  internship  pro¬ 
grams  to  make  sure  existing  government  IT  staff 
can  be  trained  in  the  latest  skills,  and  to  develop 
a  pipeline  of  new  talent  graduating  from  the 
university  into  commonwealth  positions. 

Margulies  said  as  part  of  its  updated  training 
program,  the  commonwealth  has  developed 
courses  in  project  management,  Java  develop¬ 
ment,  and  business  analysis  and  design 
methodologies  at  UMass  Boston.  And  by  part¬ 


to  make  these  services  available  in  2008  in  14 
cities:  Frankfurt,  London,  Brussels,  Paris, 
Amsterdam,  Stockholm,  Dublin/Cork,  Milan, 
Madrid  and  Zurich  in  Europe;  and  Hong  Kong, 
Sydney  Singapore,  and  Tokyo  in  the  Asia-Pacific 
region.  The  company  expects  to  have  an 
Ethernet  footprint  in  39  countries  by  year-end. 

•The  addition  of  DSL  as  an  access  alternative 
to  China,  Finland,  Norway  and  Saudi  Arabia.  By 
year-end,  AT&T  plans  to  have  DSL  available  as 
an  access  alternative  in  21  countries. 

“Companies  worldwide  are  responding  to 
the  exploding  need  to  deliver  voice,  data  and 
video  in  real  time  to  their  end-users,  no  matter 
where  they  are,  no  matter  what  the  device,”  Ron 
Spears,  group  president  for  AT&T  Global 
Business  Services, said  in  a  statement.“It  is  vital 
that  we  continue  to  invest  in  those  geographies 
and  services  to  meet  this  demand  so  our  cus¬ 
tomers  can  connect  their  operations,  partners 
and  suppliers.” 

In  the  fourth  quarter  of  2007,  AT&T’s  Global 
Business  Services  unit  saw  hosting  revenues 
grow  by  19%,  enterprise  IP-data  services  by 
nearly  21%,  and  VPN  revenues  by  31%.  ■ 


nering  with  the  university  on  the  internship 
program,  the  commonwealth  will  hire  20  of  its 
computer-science  graduates  this  year.  “UMass 
Boston  is  eager  to  increase  enrollment  and  cre¬ 
ate  a  pipeline  of  students  coming  out  of  UMass 
and  into  the  commonwealth ’’she  said. 

Despite  Massachusetts’  and  many  other 
states’  having  to  cut  costs,  Margulies  reported 
that  commonwealth  leaders  will  increase  its  in¬ 
vestment  in  IT.The  IT  Bond  Bill  currently  before 
the  Massachusetts  legislature  calls  for  a  $450 
million  budget  for  modernizing  existing  sys¬ 
tems  and  investing  in  new  technologies, as  well 
as  for  another  $78  million  for  a  second  data 
center  in  western  Massachusetts  to  augment 
the  current  Chelsea  location. 

While  it  can  get  “pretty  gloomy  in  staff  meet¬ 
ings,”  Margulies  said  IT  is  one  of  the“few  budget 
areas  with  increases.”* 


Security 

continued  from  page  12 

errors  that  Adams  has  recently  observed  have 
been  associated  with  software  cookies,  the 
small  data  parcels  sent  from  a  server  to  a  Web 
browser  for  purposes  of  authentication,  track¬ 
ing  or  maintaining  specific  information  about 
the  user. 

“At  one  e-commerce  site,  we  found  we  could 
just  open  it, see  the  session  ID  and  change  the 
price,”  Adams  says.This  is  ‘cookie  poisoning,’ 
and  it’s  very  common.  The  problem  is  once 
the  cookie  was  issued  by  the  server,  they 
weren’t  revalidating  it.  The  shipping  was  cal¬ 
culated  the  same  way” 

But  nobody  thinks  Web  application  firewalls 
are  a  waste  of  time  and  money 

Paul  Asadoorian,  senior  network  security 
engineer  at  Oshean,  a  consortium  providing 
network  and  security  services  for  Rhode 
Island  universities,  healthcare  organizations 
and  the  state  government,  points  out  that 
ModSecuritythe  open  source  Web  application 
firewall  plug-in  for  the  Apache  Web  server,  is 
very  popular  at  universities  to  prevent  cross¬ 
site  scripting  and  other  attacks. 

“The  IT  staff  for  servers  and  networks  at  uni¬ 
versities  often  don’t  have  control  over  the 
application-development  process, "Asadoorian 
says.“ModSecurity  strips  out  characters  to  pre¬ 
vent  attacks.” 

In  the  final  analysis,  most  say,  automated 
code  analysis  and  Web  application  firewalls 
both  play  a  valuable  role  and  can  be  comple¬ 
mentary  approaches  to  securing  applications. 
The  real  challenge  is  building  applications 
right  from  the  start. 

“Our  mind-set  needs  to  change,” Asadoorian 
says.  “’’The  code  needs  to  be  sanitized  much 
better  than  it  is  when  you’re  writing  the  appli¬ 
cation  and  then  running  it.”  IB 


AT&T  plans  $1  billion 
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Maximum  freedom! 
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Peace  of  mind! 
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Switch  and  save! 

You  already  have  a  domain?  1&1  does  not  charge  transfer  costs 
and  yod  can  save  immediately  with  the  industry's  best  prices.  If  you 
want  to  save  more,  upgrade  your  domain  to  a  hosting  package  and 
take  advantage  of  our  great  prices.  (See  next  page!) 
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1&1  gives  you  a  choice  between  Linux  or  Microsoft  web  hosting  at  unbeatable 
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VMware 

continued  from  page  1 

vendors  typically  charge  $700  to  $800,  accord¬ 
ing  to  DiDio.  Microsoft’s  Hyper-V  will  cost  a  pal¬ 
try  $28  as  a  stand-alone  product  or  come  free 
as  an  add-on  to  Windows  Server  2008.  The 
EMC-controlled  VMware  hasn’t  indicated  any 
possibility  of  lowering  prices,  but  it  does  offer 
one  free  product  called  the  VMware  Server, 
intended  to  lure  new  customers. 

A  Yankee  Group  survey  last  year  had  55%  of 
server-virtualization  customers  planning  to  use 
VMware,  29%  opting  for  Microsoft,  14%  unde¬ 
cided  and  the  rest  buying  from  one  of  several 
other  vendors. 

Microsoft  is  thought  to  have  the  most 
promising  shot  at  overcoming  VMware’s 
huge  market  lead.  But  this  is  a  rapidly  grow¬ 
ing  market,  and  each  player  has  a  chance  to 
carve  out  its  own  niche  while  luring  cus¬ 
tomers  away  from  VMware  and  its  flagship 
ESX  Server.  Here’s  a  detailed  look  at  the  ven¬ 
dors  that  analysts  say  pose  the  biggest 
threats  to  VMware. 


Microsoft 


Inexpensive,  but  lacks  high-availability 
features 

Gartner  analyst  Thomas  Bittman  predicts 
Microsoft  will  hold  its  own  vs.VMware,  but  not 
necessarily  overtake  the  top  spot  in  the  minds 
of  customers.  “It’s  going  to  come  down  to 
VMware  being  the  major  enterprise  player 
and  Microsoft  being  the  major  midmarket 
player,”  says  Bittman,  who  is  preparing  re¬ 
search  on  the  virtualization  market.“Everyone 
else  is  basically  a  niche  player” 

Microsoft’s  proprietary  server-virtualization 
technology  is  one  of  three  major  architectures 
on  the  market,  along  with  VMware’s  and  the 
open  source  Xen  hypervisor. 

Microsoft’s  Virtual  Server  product  never  really 
caught  on  despite  having  several  years  on  the 
market,  but  Redmond  officials  are  taking  aim 
at  VMware  again  with  Hyper-Y  which  is  avail¬ 
able  in  beta  as  part  of  Windows  Server  2008 
and  is  expected  to  be  generally  available  with¬ 
in  five  months. 

DiDio  thinks  Microsoft’s  partnership  with 
Citrix  —  owner  of  XenSource  —  is  an  impor¬ 
tant  leg  of  Microsoft’s  strategy  even  though 
some  analysts  expect  Microsoft  to  deempha- 
size  this  relationship  when  its  own  hypervisor 
hits  the  market. 

The  Microsoft-Citrix  partnership  involves 
Citrix  virtualizing  Windows  while  Microsoft 
supports  Citrix  products.  Microsoft’s  System 
Center  Virtual  Machine  Manager  can  manage 
both  Citrix  XenServer  and  the  Citrix  Pre¬ 
sentation  Server.  Citrix’s  desktop  virtualization 
product  will  support  Hyper-V  and  there  will  be 
interoperability  between  virtual  servers  run¬ 


ning  on  the  two  companies’  hypervisors,  DiDio 
says. 

Microsoft  has  partnerships  with  Novell  and 
Sun,  and  says  the  next  version  of  Virtual 
Machine  Manager  will  manage  VMware  soft¬ 
ware.  “Microsoft’s  strategy  is  basically  to  sur¬ 
round  VMware  with  all  these  partnerships,” 
DiDio  says. 

Microsoft’s  technology  however,  is  lacking 
two  features  wanted  by  the  most  demanding 
customers,  says  Jeffrey  Gaggin,  an  enterprise 
software  analyst  for  Avian  Securities.  One  is  live 
migration,  which  lets  users  move  an  applica¬ 
tion  running  on  a  virtual  server  from  one  phys¬ 
ical  device  to  another.  With  Microsoft,  this 
migration  takes  5  or  10  seconds  while  VMware 
can  do  it  almost  instantly,  he  says. 

The  second  missing  feature  is  “hot  add,”  the 
ability  to  add  memory  to  a  server  while  it’s  run¬ 
ning,  Gaggin  says. 

“Beyond  the  hypervisor  is  the  ability  to  man¬ 
age  all  this  stuff,”  he  says.'That’s  where  VMware 
really  adds  value.That  ultimately  will  be  a  road¬ 
block  for  Microsoft.” 

Still,  “when  Microsoft  launches  [Hyper-V] ,  it 
could  definitely  have  an  impact  on  the 
[VMware  profit]  margin.  Do  people  want  to 
pay  more  for  VMware’s  offering?  I  think  that’s 
always  hard  to  tell,”  Gaggom  says. 


CITRIX* 


Also  offers  desktop  virtualization,  but  vul¬ 
nerable  to  Microsoft 

Some  analysts  believe  Citrix  has  the  second- 
best  shot  to  make  a  dent  in  VMware’s  market 
share  lead,  but  the  praise  is  not  universal. 
Citrix’s  key  move  was  buying  XenSource,  run 
by  the  designers  of  the  Xen  hypervisor,  last  year 
for  $500  million. 

Citrix’s  potential  to  disrupt  VMware  seems  to 
depend  heavily  on  whether  Microsoft  will  turn 
out  to  be  more  of  a  competitor  or  more  of  a 
partner. 

Gartner’s  Bittman  thinks  Citrix  acquired 
XenSource  in  the  hopes  that  it  could  license 
the  technology  to  Microsoft  and  prevent 
Microsoft  from  going  forward  with  Hyper-V 
Obviously,  that  didn’t  happen.  He  thinks 
Microsoft,  Sun  and  Oracle  all  pose  bigger 
threats  to  VMware  than  Citrix  does. 

“The  only  clear  opportunity  is  right  now 
before  Microsoft  enters  the  market,”  Bittman 
says.  “After  Hyper-V  comes  out,  1  wouldn’t  ex¬ 
pect  Citrix  to  be  aggressive  in  server  virtualiza¬ 
tion.  Microsoft  has  deeper  pockets.  I  don’t  see 
how  Citrix  can  compete.” 

Nemertes  Research  contends  that  the 
Citrix  buy  will  lend  “significant  financial  and 
marketing  muscle  to  XenSource”  in  its  bid  to 
compete  with  VMware,  and  that  fiercer  com¬ 
petition  will  lead  to  more  innovation  in  vir¬ 
tualization  technology. 


DiDio  does  not  see  Microsoft  deemphasizing 
its  partnership  with  Citrix.  “Microsoft  needs 
Citrix  in  this  thing  as  much  as  Citrix  needs 
Microsoft,”  she  says.“Citrix  has  wonderful  desk¬ 
top  virtualization,  wonderful  storage  manage¬ 
ment.  Microsoft  is  late  to  the  market  on  a  lot  of 
this  stuff.” 

$Sun 

microsystems 

Hardware  management  background  a 
plus,  needs  to  execute 

The  Xen  hypervisor  provides  the  founda¬ 
tion  for  Sun’s  x86  virtualization  product, 
known  as  xVM.  Sun  isn’t  alone  here;  practi¬ 
cally  every  one  of  VMware’s  major  competi¬ 
tors  uses  Xen,  including  Oracle,  Novell,  Red 
Hat,  Virtual  Iron  and  Citrix.  Each  is  doing 
work  to  make  sure  the  Xen  hypervisor  is 
more  robust,  but  more  importantly,  each  is 
trying  to  differentiate  itself  with  manage¬ 
ment  tools,  Bittman  says. 

Bittman  thinks  Sun  poses  VMware  the  sec¬ 
ond-biggest  threat  behind  Microsoft.  “My  view 
is,  if  Sun  doesn’t  do  it,  it’s  going  to  be  a  two- 
horse  race,”  he  says. 

Sun  typically  has  not  done  well  in  the  soft¬ 
ware  market,  but  Bittman  is  optimistic  because 
virtualization  is  pretty  close  to  Sun’s  expertise 
—  managing  hardware. 

“Managing  virtual  machines,  it’s  really  just 
one  step  above  managing  the  hardware  itself,” 
Bittman  says.  “We  consider  Sun  to  be  a  dark 
horse.The  proof  has  got  to  be  in  the  execution.” 

Sun’s  xVM  is  a  set  of  technologies  for 
desktop  and  x86  server  virtualization.  Sun 
also  has  a  SPARC  hypervisor  for  its  own 
hardware.  Sun  bolstered  its  virtualization 
portfolio  a  few  weeks  ago  by  purchasing 
Innotek,  which  makes  desktop  virtualiza¬ 
tion  software  targeting  developers  who 
want  to  build,  test  and  run  applications  on 
multiple  operating  systems. 

“Their  real  strategy  is,  of  course,  built  around 
the  Solaris  operating  system,  virtualizing 
Solaris,”  DiDio  says.  “Their  approach  is,  they 
have  these  zone  containers.  It  gives  you  iso¬ 
lated  execution  environments  within  Solaris.” 


Late  entrant,  could  win  over  Oracle  shops 

Founder  and  CEO  Larry  Ellison  isn’t  shy 
about  finger  a  finger  in  VMware’s  eye.  He 
reportedly  predicted  that  VMware  will  meet  the 
same  demise  as  Netscape. 

Ellison  is  finalizing  a  deal  to  purchase  BEA 
Systems,  which  has  a  partnership  with  VMware 

See  VMware,  page  19 
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to  provide  Java  virtualization  products. 

That  move  could  foil  some  of  VMware’s 
plans,  though  it’s  not  clear  yet  how  Oracle 
intends  to  fit  BEA  into  its  virtualization  strate¬ 
gy  DiDio  says.  Oracle  is  a  new  entrant  into  the 
virtualization  market  with  Oracle  VM,  which 
has  such  advanced  features  as  live  migration, 
according  to  DiDio’s  Yankee  Group  report. 

Oracle,  well  known  for  its  database  and 
application-server  products,  is  targeting  VM 
primarily  at  heavy  Oracle  customers,  Bittman 
says.They’re  doing  it  as  a  defensive  move,”  he 
says.“They  don’t  want  VMware  or  Microsoft  to 
be  underlying  the  Oracle  stack.  That  takes 
away  potential  control  of  an  account.  ... 
Oracle  VM  does  not  need  to  make  money  The 
whole  goal  is  defensive.” 

Yankee  Group  analyst  George  Hamilton 
agrees  Oracle’s  move  is  essentially  a  competi¬ 
tive  reaction  aimed  at  maintaining  its  preexist¬ 
ing  customer  base,  rather  than  a  bold  attempt 
to  expand  into  new  markets. 

DiDio  thinks  Oracle  is  being  more  ambitious 
than  that,  however. 

“Larry  Ellison  has  been  on  a  shopping  spree 
for  the  last  three  years,”  she  says.“Oracle  wants 
to  grab  off  a  piece  of  the  virtualization  market.” 

Virtualiron 

Affordable  pricing,  but  a  small  vendor 
among  big  competitors 

This  vendor  says  it  has  gotten  a  big  boost 
from  hardware  modifications  developed  by 
Intel  and  AMD  that  make  it  easier  to  develop 
virtualization  software. Virtual  Iron  always  sup¬ 
ported  Linux  because  the  open  source  oper¬ 
ating  system  could  be  rewritten  to  its  pur¬ 
poses.  Now  it  can  support  Windows  as  well, 
because  of  the  processor  upgrades,  company 
CTO  Alex  Vasilevsky  explained  last  August. 

Every  vendor  is  benefiting  from  hardware 
upgrades,  however,  notes  Charlie  Burns  of 
Saugatuck  Technology 

“The  question  then  becomes  who  can  sup¬ 
port  those  changes  with  the  most  optimized 
code  or  the  broadest  functionality,  or  who  can 
convince  those  chip  designers  they  need  to 
keep  doing  more,”  Burns  says.  Intel  and  AMD 
face  a  double-edged  sword,  he  notes,  because 
further  virtualization-related  improvements  in 
hardware  would  let  customers  run  more  work¬ 
loads  on  fewer  servers. 

Virtual  Iron’s  management  tools  have  live- 
migration  and  live-disaster-recovery  capabili¬ 
ties,  DiDio  writes.  Gartner’s  Bittman  rates 
Virtual  Iron  as  VMware’s  fifth  biggest  threat, 
ahead  of  Novell  and  Red  Hat,  which  he  ranks 
sixth  and  seventh,  respectively 

“Virtual  Iron  has  interesting  technology,  but 
as  a  small  vendor  it’s  unlikely  to  survive,” 
Bittman  says.They’ll  probably  be  acquired  by 
somebody 


Small-to-midsize  companies  tend  to  be 
attracted  to  Virtual  Iron,  Yankee  Group’s 
Hamilton  says.“Virtual  Iron’s  go-to-market  plan 
is  simple,”  he  says.  “They  try  to  position  them¬ 
selves  as  having  very  similar  capabilities  to 
VMware  at  a  fifth  of  the  cost.” 

Novell. 


Strong  mgmt.  tools,  needs  to  deliver 

The  Xen  hypervisor  is  embedded  free  of 
charge  in  Novell’s  SUSE  Linux  Enterprise 
Server  10,  and  only  one  Linux  license  is 
needed  for  all  virtual  images  on  a  physical 
server,  DiDio  says.  Novell  tries  to  differentiate 
itself  with  ZENworks  Virtual  Machine 
Management,  which  lets  customers  manage 
any  virtual  environment,  whether  it  be  Xen, 
Microsoft  or  VMware. 

“Novell’s  positioning  is,  they  have  very  good 
management  tools  with  the  ZENworks  suite,” 
Hamilton  says. 

Like  Microsoft,  Novell  might  win  over  cus¬ 
tomers  because  of  its  expertise  in  managing 
an  operating  system,  Burns  says. 

“The  fact  that  they  have  a  distribution  of 
Linux,  they  can  make  changes  and  say  ‘the 
changes  we’ve  made  here  are  to  make  it  work 
better  in  a  virtual  environment.  But  [you  need 
to]  use  our  version  of  virtualization  at  the 
same  time’”  Saugatuck’s  Burns  says.  “VMware 
doesn’t  have  that.” 

Novell  made  a  big  move  on  Feb.  25  when  it 
said  it  will  spend  $205  million  to  acquire 
PlateSpin,  a  vendor  that  helps  customers 
adopt,  extend  and  manage  server  virtualiza¬ 
tion  in  the  data  center. 

PlateSpin  markets  a  FowerConvert  product, 
which  performs  physical-to-virtual  conver¬ 
sions  of  Windows  source  systems  into 
XenSource’s  XenEnterprise  Virtual  Machines. 


redhat. 


Aggressive  pricing,  but  management  tools 
lacking 

Red  Hat  Enterprise  Linux  distribution 
comes  with  the  Xen  hypervisor  for  free, 
while  the  RHEL  Advanced  Platform  includes 
extra  features  such  as  storage  virtualization, 
redundancy  and  high-availability  clustering, 
DiDio  says. 

Red  Hat’s  strategy  is  made  more  interesting 
by  RHEL  recently  becoming  available  on 
Amazon.com’s  Elastic  Compute  Cloud  (EC2) 
service,  in  which  users  pay  small  monthly  fees, 
she  adds. 

“Red  Hat  is  aggressively  advertising  the  fact 
that  its  virtualization  solution  is  far  more  eco¬ 


nomical  than  VMware’s,”  DiDio  notes.  Red  Hat 
vice  president  Scott  Crenshaw  has  claimed 
that  businesses  can  save  “$20,000  to  $30,000 
on  licensing  fees”  compared  with  VMware,  she 
adds. 

Bittman  dismisses  Red  Hat’s  chances,  saying 
its  management  capabilities  are  subpar. 

Red  Hat’s  position  is  similar  to  Novell’s, 
Saugatuck’s  Burns  says,  with  each  having 
the  advantage  of  distributing  its  own  Linux 
operating  system.  “At  this  point,  it’s  really  a 
matter  of  who  does  it  first,”  he  says.  “Who 
gets  it  out  first  and  in  a  reliable,  robust  fash¬ 
ion,  he  adds. 


vmware 


Needs  to  watch  its  back,  continue  to 
innovate 

VMware  certainly  has  not  been  standing 
still  in  the  face  of  its  competition  growing 
larger  and  more  robust.  VMware  struck  a 
deal  in  January  to  buy  application-virtual¬ 
ization  vendor  Thinstall.  VMware  hosted 
VMworld  in  Europe  from  Feb.  26-28  and 
made  several  announcements,  including 
agreements  with  HP  Dell,  IBM,  Fujitsu  and 
Siemens  to  ship  servers  with  a  slimmed- 
down  version  of  VMware’s  hypervisor 
embedded  in  the  hardware. 

VMware  officials  aren’t  worried  about  the 
competition,  says  Stephen  Herrod,  VMware’s 
CTO,  who  says  “products  from  would-be  com¬ 
petitors  aren’t  really  there  yet.”  (Read  an  inter¬ 
view  with  Herrod  at  www.nwdocfinder 
.com/3046.) 

VMware  may  be  forced  to  lower  its  prices, 
DiDio  says,  but  overall  the  company  is  making 
the  right  moves. 

“The  market  is  VMware’s  to  lose.  And  these 
competitors  are  going  to  have  to  take  it  away 
from  them,”  she  says. 

Beyond  those  already  mentioned,  the  virtu¬ 
alization  market  includes  niche  players,  such 
as  Cassatt,  Egenera  and  Parallels.  If  enterprise 
customers  expand  their  use  of  virtualization 
as  much  as  some  analysts  predict,  even  some¬ 
one  holding  1%  of  the  market  could  be  quite 
successful.  “We’re  just  at  the  precipice  of  an 
emerging  market.  Any  of  these  niche  players 
could  be  huge,”  DiDio  says. 

Hardware  advances  are  making  it  easier 
for  more  vendors  to  develop  virtualization 
software.  VMware  can  retain  its  dominant 
market  share,  but  it’ll  need  to  outwork  its 
competition. 

“[VMware’s]  technology  is  still  ahead  of  the 
competition.  But  the  side  of  the  road  is  littered 
with  companies  that  had  superior  technology 
and  got  out-marketed.  Think  Netscape,”  Ham¬ 
ilton  says.“  [VMware]  is  going  to  have  to  carve 
out  more  of  a  value  proposition  than  just 
being  the  only  vendor  out  there.”  SS 
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Apple  iPhone  to  take  on  BlackBerry? 


BY  BRAD  REED  AND  JOANIE  WEXLER 

Now  that  Apple’s  iPhone  has  swept  the 
consumer  market  off  its  feet,  it’s  moving 
toward  becoming  a  dominant  enterprise 
device  as  well. 

During  a  media  conference  at  its  San 
Francisco  headquarters  last  week,  Apple 
unwrapped  a  host  of  new  features  that  are 
designed  to  make  the  iPhone  more  attractive 
to  corporate  users.  The  biggest  piece  of  the 
enterprise  package  will  give  iPhone  users 
access  to  Microsoft’s  Exchange  ActiveSync, 
which  will  provide  them  with  secure  over-the- 
air  e-mail,  contacts,  calendars  and  global 
address  lists. 

The  addition  of  Exchange  ActiveSync’s  built- 
in  support  will  give  IT  departments  the  ability 
to  set  password  policies,  to  set  up  VPN  settings 
and  to  perform  remote  data  wipes  on  iPhones 
that  have  been  lost  or  stolen,  Apple  says.  The 
iPhone  will  also  soon  support  Cisco  IPsecVPN, 
which  Apple  says  will  “ensure  the  highest  level 
of  IP-based  encryption  available  for  transmis¬ 
sion  of  sensitive  corporate  data.” 

Both  Exchange  ActiveSync  and  Cisco  IPsec 
VPN  will  be  made  available  in  Apple’s  iPhone 
2.0  software,  which  the  company  says  is  sched¬ 
uled  to  be  released  in  June  and  will  be  given 
to  all  iPhone  customers  as  a  free  software 


update.  Apple  CEO  Steve  Jobs,  who  acted  as 
master  of  ceremonies  at  the  media  event, 
declined  to  comment  directly  when  asked  if 
Apple  hoped  that  its  corporate  upgrades  to  the 
iPhone  would  make  it  competitive  with 
Research  in  Motion’s  popular,  enterprise-cen¬ 
tric  BlackBerry  mobile  device.  Jobs  did,  how¬ 
ever,  allude  many  times  to  RIM’s  recent  net¬ 
work  outages,  and  he  took  some  subtle  digs  at 
the  BlackBerry’s  security  infrastructure. 

“You  have  to  wonder  about  [BlackBerry] 
security”  Jobs  said  during  a  Q&A  session  fol¬ 
lowing  the  announcement.  “All  BlackBerry  e- 
mails  go  through  [RIM’s  network  operations 
center]  in  Canada...  you  have  to  wonder, can 
someone  look  at  my  e-mail  while  it  is  there?” 

Over  the  past  year,  some  analysts  have 
warned  IT  departments  to  not  allow  the 
iPhone  to  connect  to  their  networks,  noting 
that  it  has  no  way  to  deliver  secure  corporate  e- 
mail  or  to  encrypt  data  sent  and  received 
through  the  device.  Phil  Schiller,  Apple’s  senior 
vice  president  of  marketing,  acknowledged 
these  concerns  and  said  that  these  new  fea¬ 
tures  were  a  reflection  of  what  Apple  cus¬ 
tomers  have  told  the  company  would  make 
the  device  enterprise-worthy 

In  addition  to  bringing  access  to  Exchange 
ActiveSync  and  Cisco  IPsec  VPN,  the  iPhone 


software  update  will  include  a  copy  of  the 
long-awaited  iPhone  software  development  kit 
(SDK), which  was  first  announced  last  October 
and  was  initially  scheduled  to  be  released  in 
February  Jobs  said  at  the  time  that  he  hoped 
the  SDK  would  prompt  software  developers  to 
create  their  own  applications  for  the  iPhone. 

Several  third-party  developers  demonstrat¬ 
ed  applications  they  developed  using  the 
iPhone  SDK  at  the  conference,  including  an 
iPhone-friendly  version  of  Instant  Messenger 
from  AOL,  an  adaptation  of  Electronic  Arts’ 
popular  game  Spore  and  an  application 
designed  by  medical  software  developer 
Epocrates  that  provides  ,  healthcare  profes¬ 
sionals  with  secure  mobile  access  to  patient 
medical  information. 

Apple  said  that  new  applications  for  the 
iPhone  could  be  purchased  through  the  App 
Store,  an  application  that  will  let  users  down¬ 
load  the  applications  directly  to  their  devices. 
Apple  is  letting  developers  set  their  own  prices 
for  the  applications  and  will  give  them  70%  of 
all  sales  revenue  they  generate.  The  App  Store 
application  will  also  be  part  of  the  iPhone  2.0 
software  upgrade,  the  company  said. 

The  iPhone  SDK  marks  the  first  time  that 
Apple  has  openly  welcomed  outside  develop¬ 
ers  to  create  applications  for  the  iPhone.  ■ 
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Microsoft  simplifying  ID  mgmt. 

‘Identity  bus’  would  let  applications  plug  into  security,  other  services 


BY  JOHN  FONTANA 

Microsoft  is  working  on  a  series  of  upgrades 
to  its  directory  and  identity  technologies  in 
the  coming  months  with  the  goal  of  creating  a 
service-based  identity  platform. 

Microsoft  is  leaving  itself  plenty  of  wiggle 
room  saying  that  upgrades  for  such  Active 
Directory  and  client-based  features  as 
Federation  Services,  CardSpace,  Identity 
Lifecycle  Manager  and  claims-based  access 
control  will  come  in  2008-plus.  If  the  company 
follows  its  stated  development  plans  to  release 
a  minor  upgrade  to  the  server  every  two  years, 
the  “plus”  would  be  2010. 

But  the  upgrades  to  the  directory  and  identi¬ 
ty  platform  would  be  anything  but  minor,  and 
the  presence  of  the  claims-based  access  con¬ 
trol  features  points  to  the  fact  that  Microsoft 
would  like  to  see  identity  become  more  of  a 
simple  service  and  less  of  a  complex  infra¬ 
structure  companies  are  forced  to  build  and 
maintain. 

Microsoft  is  already  using  claims-based 
access  for  SharePoint  and  Rights  Management 
Server.  Claims  are  a  set  of  statements  that  iden¬ 
tify  a  user  and  provide  specific  information. 
They  are  read  by  applications  to  make  deci¬ 
sions  on  who  gets  access,  who  can  retrieve 
content  or  who  can  complete  transactions. 

Last  week,  at  NetPro’s  Directory  Experts 
Conference,  Microsoft  expanded  on  its  idea  to 
create  a  set  of  identity  pieces  that  snap  togeth¬ 
er  via  standard  protocols  and  provide  what 
the  company  referred  to  last  week  as  an  “iden¬ 
tity  bus.” 

The  bus  would  move  claims  and  be  avail¬ 
able  for  applications  to  plug  into  in  order  to 
take  advantage  of  security  and  access  con¬ 
trol  features.  The  bus  could  live  on  either 
side  of  the  firewall  and  would  have  many 
places  on  the  network  where  “transformers” 
could  accept  and  dispense  claims  in  many 
different  formats. 

Some  experts  believe  Microsoft  plans  to 
head  straight  toward  building  such  a  services 
infrastructure  and  bypass  the  current  behind- 
the-firewall  approach  to  identity 

“I  think  their  real  aim  is  to  skip  this  whole 
generational  identity  and  access  issue  and  go 
straight  for  the  services  goal,” says  Earl  Perkins, 
an  analyst  with  Gartner.“By  doing  this  they  will 
be  positioned  for  the  consumer  space  and  the 
extranet,  and  they  can  show  up  to  compete 
with  Google  and  already  have  security  and 
identity. So  this  platform  is  not  ready  yet,  but  in 
24  months  it  will  be  closer  to  reality’ 

Perkins  says  the  services  platform  could  be 
adapted  within  enterprises  by  having  integra¬ 
tion  experts  such  as  the  Oxford  Computing 
Group,  which  specializes  in  Microsoft  identity 
and  access  management  technologies,  build 


Moving  forward 

Microsoft  has  a  road  map  for 
upgrading  its  directory  that  will  likely 
be  completed  by  the  time  the  R2 
version  of  Windows  Server  2008 
ships  in  two  years.  Microsoft  is  coy 
on  timing,  saying  only  that 
improvements  will  come  in  2008-plus. 

Federation  services 

•  ADFS  2,  new  ease  of  management 
and  federation  capabilities 

•  Windows  LivelD  support; 

Managed  InfoCards 

•  Windows  CardSpace  2.0 

Identity  life-cycle  management 

•  ILM  3.0 

Other 

•  Identity  and  access  management 
programming  platform 

•  Support  for  Office  14 

•  Claims-based  access  control 


what  companies  need  internally. 

“It  still  seems  to  me  that  a  lot  of  different 
[Microsoft  product]  teams  are  in  play,  there 
are  a  lot  of  different  ideas  as  how  to  move 
identity  forward  within  Microsoft,”  says  James 
Booth,  director  of  the  Oxford  Computing 
Group.  “They  are  still  trying  to  figure  it  out 
themselves.” 

The  services  idea,  however,  is  not  far-fetched. 
Just  last  year,  Microsoft  CEO  Steve  Ballmer  said 
at  the  company’s  annual  partner  conference 
that  every  piece  of  Microsoft’s  shrink-wrapped 
software  would  have  a  services  element  and 
he  called  out  Active  Directory  by  name. 

Last  week,  Joe  Long,  general  manager  of  the 
connected  identity  and  directory  at  Microsoft, 
wasn’t  quite  that  blunt. 

“My  team  is  focused  on  delivering  products 
that  solve  enterprise  problems,”  Long  said.  But 
he  said  the  ultimate  goal  was  to  reduce  com¬ 
plexity,  and  he  showed  a  new  management 
interface  and  a  FbwerShell  script-driven  auto¬ 
mated  tool  for  setting  up  federation  that  will 
ship  during  the  2008  “plus”  time  frame.  Active 
Directory  Federation  Service  (ADFS)  2.0,  also 
slated  for  that  time  frame,  is  where  Microsoft 
plans  to  begin  shifting  from  a  Web  single  sign- 
on  model  to  more  of  a  pluggable  platform  for 
applications. 

“We  want  to  make  it  so  you  can  take  these 
products,  install  them,  and  take  advantage  of 


them  without  having  to  work  two  months,  two 
years,  10  years  with  a  developer  or  integrator 
to  get  it  to  work.” 

Microsoft  also  detailed  its  concept  of  an 
identity  bus  that  would  be  a  plug-and-play  ser¬ 
vice  for  applications  needing  to  authenticate 
and  authorize  users. 

Stuart  Kwan,  director  of  program  manage¬ 
ment  for  identity  and  access  for  Microsoft, said 
the  bus  would  feature  transformers,  places 
where  data  contained  within  claim  would  be 
translated  into  different  formats  depending  on 
an  application’s  need.  Kwan  said  the  trans¬ 
formers  could  handle  such  things  as  Kerberos, 
X.509  certificates  and  assertions  based  on  the 
Security  Assertion  Markup  Language  (SAML). 
Claims  can  come  from  Active  Directory, 
LDAPv3-based  directories,  application-specific 
databases  and  new  user-centric  identity  mod¬ 
els  such  as  LivelD,  OpenID  and  InfoCard  sys¬ 
tems,  including  Microsoft’s  CardSpace  and 
Novell’s  Digital  Me. 

“Transformers  allow  us  to  fold,  spindle  and 
mutilate  the  data  in  any  way  we  want.  It  lets  us 
adapt  to  the  infrastructure  without  completely 
destroying  the  applications,”  Kwan  said. 

In  addition  to  the  services  angle,  Microsoft 
said  it  is  revisiting  its  stand  on  key  protocols 
it  does  not  support,  which  could  prove  criti¬ 
cal  to  the  success  or  failure  of  a  services- 
based  platform. 

The  protocols  include  the  entire  SAML  2.0 
specification,  Service  Provisioning  Markup 
Language  and  Extensible  Access  Control 
Markup  Language. 

“Microsoft  has  introduced  an  interoperabili¬ 
ty  promise,  and  we  are  trying  to  understand 
the  ramifications  of  that,”  Long  said.“Hopefully 
we  can  make  a  commitment  one  way  or  the 
other  in  the  next  few  months.”  ■ 
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An  inside  look  at  technologies  and  standards 

IPv6  allocations:  The  tide  comes  in 


BY  DAN  CAMPBELL 

2007  was  a  big  year  for  IPv6.  The  five  regional  Internet  registries  — 
tasked  by  the  Internet  Assigned  Numbers  Authority  to  govern  IP 
address  allocations  —  made  a  total  of  379  IPv6  allocations  last  year. 
That  is  about  70%  growth  from  2006  and  close  to  the  2002  peak,  a  dramat¬ 
ic  jump  from  what  was  a  five-year  pattern  of  decline.  Clearly  there  is  inter¬ 
est  and  movement  toward  IPv6. 


All  RIRs  made  more  allocations  in  2007  than 
in  2006  with  the  exception  of  the  African  Net¬ 
work  Information  Centre  (AFR1NIC),  which 
was  just  slightly  down.  Because  AFRINIC  serves 
such  a  large  geographic  area  it  saw  the  most 
growth  in  overall  allocation.  The  Latin 
American  and  Caribbean  Internet  Address 
Registry  also  continued  on  a  fast  pace,  with  the 
Asia-Pacific  Network  Information  Centre  and 
the  RIPE  Network  Coordination  Centre  in 
Europe  moving  steadily  along  as  well. 

The  big  story  is  the  American  Registry  for 
Internet  Numbers  (ARIN),  whose  114  alloca¬ 
tions  represent  about  42%  growth.  ARIN  serves 
the  United  States,  which  is  often  said  to  have  lit¬ 
tle  interest  in  IPv6  and  is  behind  the  rest  of  the 
world. That  appears  to  be  changing,  most  likely 
as  a  result  of  the  self-imposed  June  2008  gov¬ 
ernment  mandate  for  IPv6  compliance. 

It  is  worth  noting  that  most  allocations  made 
were  to  service  providers.  Until  2007,  RIR  poli¬ 
cies  dictated  that  enterprises  must  acquire  IPv6 
addresses  from  their  upstream  service  pro¬ 
viders.  There  were  no  policies  that  allowed 
enterprises  to  acquire  provider  independent, 
or  “portable,”  allocations  directly  from  an  RIR. 
Although  this  policy  had  the  good  intentions  of 
promoting  address  aggregation  and  control¬ 
ling  routing  table  growth,  it  fell  under  scrutiny 
for  various  reasons. 

First,  the  policy  contradicted  the  primary 
motivation  for  IPv6, which  is  the  dwindling  IPv4 
address  space,  the  difficulty  many  organiza¬ 
tions  have  in  acquiring  addresses  and  the 
many  side  effects  that  presents.  The  policy  led 
to  this  conundrum:  “I  can’t  acquire  IPv4  ad¬ 
dresses  and  am  being  told  to  migrate  to  IPv6, 
but  despite  IPv6’s  virtually  infinite  address 
space,  I  still  can’t  acquire  my  own  addresses?” 
Notwithstanding  the  benefits  of  aggregation, 
this  contradiction  was  tough  to  defend. 

Second, the  policy  creates  an  anticompetitive 
situation.  Regardless  of  IPv6  features  that  make 
renumbering  easier,  changing  a  live  network’s 
address  scheme  is  always  logistically  compli¬ 
cated  and  disruptive.  An  enterprise  may  decide 
to  stick  with  a  service  provider  it  may  be  un¬ 
happy  with  simply  to  avoid  the  risk  and  effort 
involved  in  renumbering. 

Third,  the  policy  created  problems  in  multi¬ 


homing  scenarios.  In  today’s  world  where 
application  and  network  availability  are  truly 
mission  critical,  creating  redundancy  through 
multihoming  is  a  must  for  many  organizations. 
In  IPv6,  it  is  policy  that  service  providers  only 
announce  their  aggregate  blocks  and  not  that 
of  other  service  providers.  This  creates  a  hard¬ 
ship  for  those  who  want  to  have  multiple 
upstream  providers. 

For  these  and  other  reasons  —  and  only  after 
considerable  debate  that  is  still  ongoing  —  the 
restriction  on  provider-independent  space 


needed  to  change.  IPv6  provider-independent 
policies  have  recently  been  adopted  by  some 
RIRs  and  are  up  for  consideration  by  others. 
Because  these  polices  are  new,  they  have  not 
been  taken  full  advantage  of  yet. 

So  what  does  all  this  mean  for  2008?  It  is  like¬ 
ly  that  IPv6  will  gain  even  more  momentum. 
Many  international  deployments  will  actually 
gain  visibility  China  will  unveil  its  national  IPv6 
network  at  the  2008  summer  Olympic  Games 
in  Beijing,  and  the  U.S.  government  mandate  is 
set  for  June.This  will  influence  deployments  on 
the  commercial  service  provider  side  as  well. 

In  2007,  we  saw  announcements  about  IPv6 
backbone  deployments  from  major  service 
providers  such  as  Verizon  and  Sprint.  As  IPv6 
provider-independent  allocation  policies  kick 
in,  it  is  likely  there  will  be  a  considerable  boom 
on  the  enterprise  side.  All  told,  2008  may  be  the 
year  that  IPv6  makes  it  to  prime  time. 

Campbell  is  president  of  Millennia  Systems 
and  can  be  reached  at  dcampbell@millenni- 
asystems.com. 


After  years  of  decline,  2007  was  a  turning  point 


IPv6  address  allocations 
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IPv6  allocation  growth  in  2007  by  regional  Internet  registries 
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_DAY  74:  This  is  so  complicated.  We’re  spending  all  our 
time  and  money  managing  our  boxes.  Gil  says  he  has  a 
big  idea  for  how  to  better  manage  our  x86  environment. 

.Gil’s  big  idea:  sheepdogs... says  they  work  for  biscuits. 

.DAY  75:  I  just  wrangled  up  the  scalable  IBM  System  x3950. 
Its  IBM  X3  Architecture  and  IBM  Systems  Director  make 
it  one  of  the  most  reliable  and  economical  platforms  for 
x86-based  virtualization.  Managing  our  servers  and  storage 
is  a  snap.  And  with  Dual-Core  Intel®  Xeon®  processors,  the 
System  x™  servers  will  run  lightning  fast. 

.IBM  System  x.  My  new  best  friend. 


Efficient 


Purchase  a  System  x  and  get  a  3-month  trial  of  VMware*  VI3* 


IBM.COM/TAKEBACKCONTROL/VIRTUALIZE 


‘The  3-month  trial  of  VMware  is  subject  to  the  terms  and  conditions  of  the  promotion,  available  from  VMware.  IBM,  the  IBM  logo,  System  x  and  Take  Back  Control  ore  trademarks 
or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  U.S.  and  other  countries.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered 
trademarks  of  Intel  Corporation  in  the  U.S.  and  other  countries.  VMware  is  a  registered  trademark  of  VMware  in  the  U.S.  and  other  countries.  ©2008  IBM  Corporation.  All  righ's  reserved 


Parallels  Virtuozzo  Containers  4.0,  Part  1 


Last  week  I  started  with  a  couple  of  tips  on 
Gmail. 

A  reader  who  shall  remain  anonymous  wrote 
in  to  ask  “how  to  get  my  auto  signature  to  stay  at 
the  bottom  of  my  reply  when  I  reply  to  a  chain 
GEARHEAD  mail  in  Gmail.  Today  it  goes  to  the  end  of  the 

Mark  Gih'hc  chain  mai1'” 

i  vi  a  I  uiuuo  Dear  Anon>:  There  is  no  way  I  know  of  to  do 
this,  but  why  are  you  replying  to  chain  mail? 
Chain  mail  is  a  curse  of  the  Internet  and  isn’t  worth  dealing  with.  Of 
course,  that’s  just  my  opinion. 

Here’s  another  Gmail  tip:  If  you  use  labels  in  Gmail  and  you  use  an 
RSS  feed  reader  that  supports  authentication,  you  can  get  an  RSS  feed 
for  any  particular  label  by  using  the  URL  https://mail.google.com/mail/ 
feed/atom/label/  (obviously  your  name  and  password  connects  you  to 
your  account  despite  the  generic  URL).  Even  more  cunningly  unread 
mail  is  automatically  assigned  the  label  “unread”  so  you  can  keep  an 
eye  on  what’s  waiting  for  you  with  https://mail.google.com/mail/feed/ 
atom/unread/. 

Anyway  last  week  I  began  discussing  the  recently  released  Parallels 
Virtuozzo  Containers  4.0,  a  product  that  performs  operating  system  vir¬ 
tualization.  I  summarized  my  thoughts  about  Containers  as 
“Outstanding!  Amazing!  Way  cool!”  and  promised  to  tell  you  why 

First  of  all,  let  me  explain  what  Containers  is.  Unlike  products  such  as 
VMware  (which  I  still  love  in  an  unnatural  way),  Containers  virtualizes 
the  operating  system  it  runs  on  rather  than  creating  virtual  machines  - 
VOSs  rather  than  VMs,  if  you  will. 

Operating  system  virtualization  makes  the  host  OS  services  available 
by  routing  application  calls  from  the  VOSs  to  the  shared  host  OS.  In  the 
VM  architecture,  an  entire  PC  hardware  environment  is  simulated  in 


each  virtual  machine. 

On  the  plus  side  for  VOSs,  the  memory  usage  and  CPU  utilization  over¬ 
heads  are  lower  because  there’s  only  the  host  OS  handling  the  system 
calls  rather  than  one  OS  per  virtualized  environment.  This  means  you 
can  get  more  VOSs  running  on  a  given  platform  than  you  can  when 
using  VM  (Parallels  claims  three  times  as  many). 

That’s  the  plus  side.  On  the  minus  side,  all  of  the  VOSs  must  be  of  the 
same  type  as  the  host  operating  system.With  a  VM  architecture,  because 
it  emulates  an  entire  hardware  platform,  you  can  run  pretty  much  any 
mixture  of  operating  systems. 

Here’s  a  curious  thing  I  discovered  while  testing  Containers:  You  can 
run  Containers  and  VMware  on  the  same  platform  at  the  same  time!  For 
testing  purposes  this  is  a  little  slice  of  paradise. 

Containers  is  available  for  32-  and  64-bit  x86  processors  for  Windows 
Server  200x  and  Linux,  as  well  as  for  Linux  1A64  on  Itanium  processors. 
Best  of  all,  the  minimum  requirement  is  a  Pentium  III  processor  with 
1GB  of  RAM  so  it  will  run  on  your  older  server  hardware. 

Installing  Containers  —  at  least  for  Windows  2003,  as  I  did  —  was  a  no- 
brainer,  but  as  with  any  system-level  software, you’ve  got  some  fairly  seri¬ 
ous  reading  to  do  to  understand  all  of  the  ins  and  outs  of  the  product. 

Once  installed,  you  launch  the  Parallels  Management  Console  and 
create  containers  —  that’s  what  the  virtualized  operating  system 
instances  are  called  —  from  templates.  These  templates  provide  a  pre¬ 
defined  set  of  services  and  applications. 

I  swear  the  space  for  this  column  gets  smaller  every  week,  or  maybe 
the  products  just  get  bigger.  Next  week  we’ll  get  deeper  into  Parallels 
Virtuozzo  Containers. 

Briefly  brief  me  about  how  you  are  putting  virtualization  to  work  in  your 
shop  by  writing  to  gearhead@gibbs.com. 


Netgear  gaming  kit  adds  802.1  In  to  your  net 


The  scoop:  HD/Gaming  5GHz  Wireless-N 
Networking  Kit,  by  Netgear,  about  $200. 

What  it  is:  The  kit  contains  two  pieces  of  hard¬ 
ware  that  let  users  create  a  wireless  bridge 
between  a  router  and  a  client.  The  main  goal  is 
to  allow  for  network  access  for  Ethernet- 
enabled  devices  that  don’t  have  wireless  or 
hard-wired  connections  near  their  locations. This 
can  include  networked  set-top  boxes,  home 
entertainment  consoles  (including  Netgear’s  own 
EVA8000),  and  even  video  game  consoles.  While 
other  connectivity  options  exist, such  as  powerline 
network  adapters  or  other  wireless  Ethernet 
bridges,  this  system  is  cool  because  it  offers  the 
faster  802.1  In  wireless  technology. 

Why  it’s  cool:  The  beauty  of  this  design  is  that  in 
addition  to  creating  a  bridge  for  a  game  console 
or  other  Ethernet  device,  the  system  creates  an 
additional  802.1  ln-based  wireless  network.  If  you 
have  an  existing  802.1  lg  router,  for  example, 
instead  of  ripping  up  that  entire  system  and  buy¬ 
ing  a  new  802.1  ln-based  router, you  can  create  an 
802.1  In  network  through  the  creation  of  this 
bridge. 

Here’s  how  it  works:  The  device  connected  to 
the  existing  wireless  router  also  acts  as  its  own 
access  point,  using  802.1  In  to  connect  to  the 
client. The  second  device,  acting  as  the  client, 
automatically  connects,  but  because  the  first 
device  is  acting  as  its  own  access  point,  the 
system  creates  its  own  Service  Set  Identifier 
name  and  wireless  security  settings.  Any  addi¬ 


tional  clients  with  the  ability  to  connect  via  802.1  In  or  802.1  la  (a  very 
nice  surprise)  can  connect  to  the  first  device  over  the  faster  wireless 
link.  IP  addressing  is  still  handled  by  the  original  router;  the  user  is  just 
getting  the  benefit  of  the  faster  802.1  In  wireless  link. 

Setting  up  the  system  for  the  first  purpose  (connecting  a  game  con¬ 
sole  to  the  network)  was  a  breeze.  The  kit  comes  with  power  adapters 
and  Ethernet  cables;  it  was  just  a  matter  of  plugging  in  and  waiting  a  few 
minutes  for  the  boxes  to  boot  up  and  talk  to  each  other.  When  I  had  the 
system  connected  to  an  Xbox  360,  the  system  was  able  to  get  its  IP 
address  assigned  without  any  difficulty,  and  I  was 
up  and  running  with  no  problems. 

Some  caveats:  The  only  problem  I 
experienced  was  trying  to  figure 
out  the  pass  phrase  for  the  802.1  In 
portion  of  the  network.  But  after 
installing  the  configuration  pro¬ 
gram  on  my  wireless  notebook,  I 
was  able  to  access  the  “access 
point”  device  and  discover  the  pass 
phrase.  A  bonus  point  for  Netgear 
—  the  system  comes  with  WPA 
Personal  encryption  as  the  default 
setting,  as  opposed  to  other  systems 
that  don’t  have  security  enabled 
automatically. 

Grade:  ★★★★★  (out  of  five) 

Shaw  can  be  reached  at 
kshaw@nww.com.  Watch  Cool 
Tools  and  other  exciting 
Network  World  videos  at 
www.  networkworld.  com /video. 


COOLT00LS 


Netgear’s  802.11n  wireless  gaming  kit  creates  a 
wireless  bridge  between  a  router  and  a  client. 
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_DAY  75:  These  cables  are  everywhere!!  Connecting 
underutilized  servers  to  more  underutilized  servers. 
Our  energy  usage  is  out  of  control!! 


_DAY  77:  I  found  a  way  out  of  this  mess:  the  super¬ 
efficient  IBM  BladeCenterf  It  helps  us  manage  power 
and  cooling  usage  with  intelligent  Cool  Blue™ 
technology.  And  with  the  latest  Quad-core  Intel®  Xeon® 
processor,  we  won’t  have  to  sacrifice  performance  for 
efficiency.  So  out  with  cables,  in  with  blades. 

_DAY  79:  Gil’s  stuck  under  the  ball.  Tried  calling  his  wife. 
Turns  out  the  photo  of  his  family  came  with  the  frame. 


IBM,  the  IBM  logo,  Cool  Blue  and  BladeCenter  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries. 
Intel.  Ihe  Intel  logo,  Xeon,  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  U.S.  and  other  countries.  Other  company,  product  and  service  names  may 
be  trademarks  or  service  marks  of  others.  ©2008  IBM  Corporation.  All  rights  reserved. 


DRM:  a  slow  clue  train? 


Random  House  is 
the  latest  major 
content  owner  to 
start  to  think  that 
maybe  not  all  of  its 
customers  are  crooks. 

The  New  York  Times 
reported  on  March  3 
that  Random  House 
has  decided  to  offer  all 
of  its  audio  books  with¬ 
out  digital  rights  man¬ 
agement  (DRM)  unless  a  particular  retailer  or 
author  objected.  The  Times  reported  that 
Penguin  Group  would  soon  follow. The  realiza¬ 
tion  that  maybe  exploring  new  business  mod¬ 
els  makes  more  long-term  sense  than  trying  to 
make  a  model  predicated  on  the  distribution 
of  physical  objects  work  in  a  digital  age  has 
been  slow,  and  far  from  uniform,  but  progress 
is  being  made. 

To  date,  most  major  music  publishers  have 
embraced  DRM-free  distribution,  some  with 
more  enthusiasm  than  others.  For  example, 
Sony-BMG  seems  to  want  to  prove  to  itself  that 
the  market  does  not  want  DRM-free  music.  It 
has  come  up  with  a  clumsy  and  expensive 
process  that  requires  a  would-be  purchaser  to 
visit  a  retail  store  before  being  able  to  down¬ 
load  a  DRM-free  copy  of  one  of  a  few  albums. 
Sony’s  competition  could  not  have  designed  a 


better  system  for  Sony  if  the  primary  aim  had 
been  to  minimize  the  chance  of  success. 

Most  of  the  other  major  music  publishers 
have  been  offering  DRM-free  music  through 
Amazon.com  or  Apple  iTunes.A  number  only 
use  Amazon.com,  maybe  to  try  to  reduce 
Apple’s  power  over  them. That  sort  of  reaction 
is  quite  pathetic  considering  that  Apple’s 
iTunes  proved  that  the  music  download  busi¬ 
ness  was  actually  viable. 

Random  House  did  not  decide  to  join  the 
DRM-free  world  without  thinking  about  it.  In  a 
letter  (www.nwdocfinder.com/3024)  to  indus¬ 
try  partners  in  late  February  the  publishing 
house  said  that  it  had  run  some  tests  and,  like 
music  publishers,  had  not  found  a  correlation 
between  removing  DRM  and  an  increase  in 
piracy  They  also  noted  that  an  author’s  royalty 
would  be  50%  higher  for  digital  downloads 
than  for  CD  sales. 

Random  House  is  willing  to  continue  to 
support  authors  that  fear  the  new  world  but 
made  it  clear  that  Random  House  does  not 
think  that  is  a  good  path  to  follow.  In  the  let¬ 
ter,  it  wrote  “if  an  author  is  willing  to  forgo  the 
potential  for  increased  sales  through  DRM- 
free  retailers,  we  will  be  able  to  support  that 
option.” 

A  few  months  ago  I  wrote  about  University  of 
Minnesota  researcher  Andrew  Odlyzko’s  think¬ 
ing  on  the  subject  of  DRM. “Control  vs.  usabil¬ 


ity:  What’s  DRM’s  future?"  (www.nwdocfinder. 
com/3023). The  move  by  Random  House  and, 
potentially,  Penguin  Group  are  in  recognition 
of  the  reality  that  Odlyzko  wrote  about. 

Not  everyone  sees  the  same  reality.  A  few 
vendors  of  high-end  software  still  insist  on 
using  DRM  of  one  kind  or  another.  One  such 
company  is  ColorByte  Software,  developer  of 
the  ImagePrint  software  I  use  to  print  on  my 
new  Epson  4880  printer. This  software  will  only 
run  if  a  hardware  token  is  plugged  into  the 
computer,  making  me  think  that  ColorByte 
assumes  I  am  a  thief). 

Movie  publishers  comprise  another  major 
class  of  nonbelievers.  I  expect  they  will  come 
around  eventually  but  it  could  be  quite  a 
while.  Meanwhile,  their  wares  will  continue  to 
be  distributed  illegally  and  they  will  continue 
“to  forgo  the  potential  for  increased  sales 
through  DRM-free  retailers.”  But  they  are  free  to 
choose  that  option. 

Disclaimer:  Choice,  even  if  constrained  by 
minimum  requirements,  is  what  a  university  is 
all  about.  But  Harvard,  as  far  as  I  know,  has  not 
expressed  any  opinion  on  the  viability  of  stick¬ 
ing  to  obsolete  business  models,  so  the  above 
is  my  own  opinion. 

Bradner  is  Harvard  University's  technology 
security  officer.  He  can  be  reached  at 
sob@sobco.com. 


NET  INSIDER 

Scott  Bradner 


The  business  case  for  mobile  collaboration 


The  business  case  for  mobile  collaboration. 
You  hear  a  lot  these  days  about  two  topics: 
mobility  and  collaboration.  Unified  com¬ 
munication  and  collaboration  is  getting  pro¬ 
moted  by  vendors  ranging  from  Microsoft  and 
IBM  to  Cisco,  Avaya  and  Nortel. 

And  mobility  is  front  and  center  on  every¬ 
one’s  minds.  Most  IT  folks  I  talk  to  expect  an  ex¬ 
ponential  increase  (more  than  100%)  in  the 
number  of  mobile-enabled  workers  in  their  or¬ 
ganizations  over  the  next  12  months. 

The  gotcha?  How  to  cost-justify  the  investment 
in  mobility  and  collaboration.  Mobility  is  partic¬ 
ularly  expensive  —  the  average  cost  per  mobile  employee  is  around 
$2,200  per  year,  including  hardware, software, services  and  support.And 
in  this  day  and  age,  something  so  expensive  doesn’t  get  implemented 
without  a  solid  ROI. 

Here  are  some  tactics  for  creating  that  ROI  for  mobility  and  collabo¬ 
ration. 

First,  remember  two  key  points:The  primary  benefit  of  mobility  is  that 
it  speeds  things  up.  That  is,  employees  don’t  need  to  wait  until  they’re 
back  in  the  office  to  access  information. The  primary  benefit  of  collab¬ 
oration  is  that  it  improves  overall  context  —  employees  have  a  better 
and  more  targeted  information  base  from 
which  to  make  decisions. 

So  when  you’re  looking  to  make  the  case  for 
mobility  and  collaboration,  look  for  scenarios 
in  which  improving  the  timeliness  and  accura¬ 
cy  of  a  process  can  net  clear  rewards.This  usu¬ 
ally  involves  business  processes  in  which  em¬ 
ployees  are  working  away  from  their  desks  — 


out  in  the  field,  in  front  of  customers,  or  helping  patients  in  hospitals. 
(Often,  these  are  employees  who  don’t  have  a  desk  in  the  first  place). 

Once  you’ve  outlined  a  handful  of  potential  case  studies,  look  closely 
at  how  these  folks  are  working.  Pay  special  attention  to  how  they  han¬ 
dle  record-keeping,  data  entry  and  data  gathering.  If  it  involves  a  trip 
back  to  headquarters,  rather  than  happening  on  the  spot,  that  process 
can  probably  be  improved  with  mobility.  For  example,  sales  agents 
whose  job  involves  products  in  retail  stores  benefit  from  being  able  to 
order  replacement  products  on  the  spot  —  and  being  able  to  do  so 
may  keep  competitors’  products  from  gaining  shelf  space.Thus,  mobile 
enabling  sales  agents  results  in  a  net  increase  in  the  revenue  they  drive. 

Similarly,  adding  instant  messaging  to  help  desks  can  increase  the 
number  of  customers  that  a  single  help-desk  agent  can  process  —  and 
the  satisfaction  level  of  the  customers.  Increased  satisfaction  levels  has 
a  direct  correlation  with  repeat  business. 

Don’t  try  to  boil  the  ocean.  Once  you’ve  identified  a  few  likely  candi¬ 
dates,  pick  a  single  business  process,  and  work  closely  with  the  owner 
of  that  process  to  craft  a  program  that  demonstrates  a  clear  ROI.  Once 
you’ve  proven  it  in  one  case,  you  can  expand  the  project  across  the 
company. 

And  don’t  hesitate  to  ask  vendors  and  suppliers  for  help.  Cisco  and 
AT&T  have  programs  for  key  clients  in  which  they’ll  provide  consulting 
resources  to  craft  business  cases,  at  no  charge.  Smaller  organizations 

may  need  to  seek  paid  support  from  consul¬ 
tants,  but  it’s  money  well  spent  if  you  can  justify 
a  broader  rollout. 

Johnson  is  president  and  senior  founding  part¬ 
ner  at  Nemertes  Research,  an  independent  tech¬ 
nology  research  firm.  She  can  be  reached  at 
johna@nemertes.  com. 


EYE  ON  THE 

CARRIERS 

Johna  Till  Johnson 


WIRELESS  IN 
THE  ENTERPRISE 

Subscribe  to  our  free  newsletter: 

www.nwdocfinder.com/1028 
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McAfee  security  system  delivers  'Total  Protection" 

McAfee's  Total  Protection  Service  offers  lower  TOO  than  Symantec  and  Trend  Micro  products 


Nortel  ERS  switches  show  "green"  by  offering  lower  port 
costs,  better  energy  efficiency  than  Cisco/HP  gear 


ERS  2500/4500  offer  up  to  83%  lower  price  par  port  than  other  products  tested 
and  use  less  energy  for  power  and  cooling 


Tests  reveal  HP  StorageWorks  SAN  Kit  eases  installation 

StorageWorks  results  in  nearly  2/3  fewer  deployment  steps  compared  to  traditional  SANs  and  also  boosts 
i/0  performance 


Nortel  BES  switches  pack  performance  punch,  offer  cost  advantages 
for  SMBs  over  rival  products 

BES  switches  delivered  wire-speed  performance  while  costing  considerably  less  than  !««;«; 
Cisco/HP  switches  tested 


Tests  highlight  security  prowess  of  NetClarity  EasyNAC  appliances 

Delivers  effective  security  through  proactively  discovering  and  managing  common 
vulnerabilities  and  exposures  a 


Fujitsu  XG2000  switch  attains  10GbE  throughput,  ultra-low 
latency  in  performance  tests 

XG2000  switch  couples  ultra-low  latency  with  zero-loss  throughput 
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Radware  data  center  switches  demonstrate  lead  over  F5 
Networks  devices  in  Layer  7  and  security  tests 

OnDemand  Switch  Series  routinely  outperforms  FS’s  BIG-IP  6800  and  smaller 
models  during  Layer  7  performance  and  security  tests 


sr 


McAfee  security  service  delivers 

'Total  Protection"  with  lower  TCO  than 

Symantec  and  Trend  Micro  solutions 


Sponsor:  McAfee,  Inc. 

Product  class:  Security  software 


A  Tolly  Group  study  commissioned  by 
McAfee,  Inc.  shows  that  McAfee's  Total 
Protection  Service1  lowers  TCO  to  less  than 
half  of  Symantec  Endpoint  Protection  Small 
Business  Edition  11.0  and  Trend  Micro  Client 
Server  Messaging  for  SMB  products. 

The  TCO  analysis  reveals  that  the  McAfee  solu¬ 
tion  costs  $2,374  for  the  first  year  and  $3,561 
with  the  purchase  of  a  two-year  contract.  The 
first-year  costs  for  the  Trend  Micro  and 
Symantec  solutions  can  be  as  much  as  260% 
(or  2.6X)  higher  than  McAfee  due  to  manage¬ 
ment  server  deployment  and  maintenance 
costs.  Given  even  a  conservative  estimate  of 
the  cost  associated  with  the  local  management 
server  for  Trend  Micro  and  Symantec,  for  the 
first  year,  SMB  users  will  spend  $5,520  for  the 
Trend  Micro  solution  and  $6,255  for  the 
Symantec  solution. 

If  users  purchase  a  two-year  support 
contract,  they  will  spend  $6,970  for  the 
Trend  Micro  solution  and  $8,854  for  the 
Symantec  solution.  This  shows  that  with  a 
two-year  contract  each  user  costs  $36  per 
year  with  McAfee,  $70  with  Trend  Micro 
and  $88  with  Symantec. 

Even  if  engineers  zero  out  the  cost  of 
running  the  management  server  in  the  local  net¬ 
work,  the  subscription  fee  for  McAfee's  50- 
user  solution  is  similar  with  the  Trend  Micro  50- 
user  solution  but  about  25%  cheaper  than  the 
Symantec  50-user  solution.  This  proves  that 
regardless  of  the  costs  associated  with  a 
management  server,  McAfee  users  spend  the 
same  amount  of  money  or  less. 


http://www.mcafee.com 


The  study  also  shows  that  McAfee's  service 
provides  users  with  greater  flexibility  and 
higher  reliability  for  SMBs  than  its  counter¬ 
parts  because  all  McAfee  users  need  to  do  is 
to  buy  more  subscriptions  as  their  businesses 
scale  and  they  leverage  a  management 
server  infrastructure  that  is  maintained  by 
dedicated,  specialized  McAfee  support  no  management  server  system  needs  to  be 
professionals.  This  is  a  key  driver  and  value  installed  and  provisioned, 
proposition  of  a  service  solution. 

In  the  end,  by  saving  money  and  time,  users 
Testing  also  shows  that  McAfee's  Total  can  focus  their  company’s  efforts  on  core 

Protection  Service  has  a  much  faster  competencies,  leaving  the  management  of 

deployment  versus  comparable  Symantec  your  IT  security  solution  to  the  experts, 
and  Trend  Micro  offerings  primarily  because 

TCO  of  Endpoint  Protection  Solutions  for  SMBs  (50  Users) 

Security  as  a  Service  vs.  Traditional  Software  Solutions 


One-year  contract  Two-year  contract 

0  McAfee  Total  Protection  Service 
0  Trend  Micro  Client  Server  Messaging  Security  for  SMB 
%  Symantec  Endpoint  Protection  Small  Business  Edition  11.0 


1  Formerly  known  as  McAfee  Total 
Protection  for  Small  Business  —  Advanced 


^matically  lower  Total  Cost  of  Ownership 


Increases  reliability  and  availability  by  alleviating  the  need  for  in-house  IT 
rastructure  and  resources 


■ 


le  URL  click —no  sc 
and  configure  client 


Offers  greater  flexibility  to  company's  growth  compared  to  Symantec  and  Trend 
Micro's  solutions 


View  the  full  report  at: 

http:/ /www.  tolly.  com/DocDetail.  aspx?DocNumber-208255 


Nortel  thinks  "green"  as  Ethernet  switches 
offer  lower  port  costs,  better  energy 

efficiency  than  Cisco/HP  gear  tested 
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Three-Year  Operational  Cost  of  Switches  Tested  in  Default  Mode 
Based  on  2006/07  Commercial  Average  Electric  Price 


Nortel  ERS  Nortel  ERS  HPProCurve  HP  ProCurve  Nortel  ERS  Nortel  ERS  Cisco  Catalyst  Cisco  Catalyst  Cisco  Catalyst  Cisco  Catalyst 
2526T-PWR  2550T-PWR  2626-PWR  2650-PWR  4550T-PWR  4548GT-PWR  3560G-48PS  3750G-48PS  3560E-48PD  3750E-48PD 


Note:  Left  bar  of  each  pair  represents  three-year  cost  for  power  used  in  heat  dissipation  (converted  back  from  BTU/hr);  right  bar  represents  three- 
year  cost  to  power  switch.  Triangle  points  represent  the  three-year  costs  related  to  switch  power  consumption  and  heat  dissipation. 


A  recent  report  commissioned  by  Nortel  shows  that 
the  company's  ERS  2500/4500  Series  switches  cost 
up  to  63%  less  than  Cisco  and  HP  ProCruve  switch¬ 
es  tested  while  delivering  power  over  Ethernet.  The 
tests  also  proved  that  the  Nortel  switches  were  the 
most  energy  efficient,  using  41  %  to  56%  less  energy 
than  other  devices  tested. 

Tolly  Group  engineers  validated  the  price  per  port  to 
deliver  ~  1 5.4W  across  all  ports  in  a  48-port  switch. 
The  results  show  an  average  savings  of  $237  per  PoE 
port  when  using  the  Nortel  ERS  4550T-PWR  and 
4548GT-PWR  with  an  RPS  1 5  against  Cisco  Catalyst 
3560E-48PD  and  3750E-48PD. 

Supporting  48  PoE  ports,  the  Nortel  ERS  4550T-PWR 
with  RPS  1 5  achieved  the  lowest  price  per  PoE  port 
at  $146,  while  the  Nortel  ERS  4548GT-PWR  with 
RPS  1 5  cost  $  1 50  per  port.  This  is  50%  to  55%  less 
than  the  per-port  prices  for  the  Cisco  Catalyst 
switches.  The  per-port  prices  for  the  Catalyst  3560E- 
48PD  and  3750E-48PD  were  $312  and  $458, 


Cost  savings  aside,  The  Tolly  Group's  hands-on  evalu¬ 
ation  found  that  network  managers  can  take  advan¬ 
tage  of  the  multiple  PoE  power  management  features 
offered  on  the  Nortel  PoE  switches.  Engineers  were 
able  to  configure  the  Nortel  ERS  PoE  switches 
to  set  the  power  threshold,  power  usage  priority,  and 
different  PoE  classes.  Plus  the  Nortel  ERS  showed  a 
quick  recovery,  often  in  less  than  15  seconds,  when  a 
PoE  port  had  to  shut  down  to  protect  the  PoE  switches. 

Environmentally  friendly  device  characteristics,  such 
as  low  power  consumption  and  heat  dissipation, 
are  becoming  key  criteria  for  switch  deployments, 
especially  those  providing  PoE 

From  an  operational  cost  standpoint,  the  Nortel 
switches  in  this  test  were  up  to  56%  less  costly 
than  the  Cisco  and  HP  ProCurve  devices  tested. 
The  reduction  in  power  consumption  validates 
that  the  Nortel  switches  are  "greener"  than  the 
competitive  products  tested. 


ERS  4500  Series  offers  62%  lower 
price  per  port  than  Cisco  E  Series 
switch  tested  in  a  48-port  scenario 
running  full  power  PoE  (~  15.4W) 
across  48  ports 


L -. .  ij-  a- 

•  ERS  4500  Series  offers  63%  lower  pric 
port  than  Cisco  non-E  Series  switch  te 
in  a  48-port  switch  running  full  power 
|  ( - 1 5.4W)  in  half  of  the  switch  ports 


•  ERS  2500  Series  offers  5t%  lower  price 
per  port  than  HP  ProCurve  2600  Series 
in  a  24/48-port  switch  running  full 
power  PoE  { ~  15.4W)  across  12  ports 


were  the 

using  i»6%  less  power  than 
sco  devices  tested  and  41%  less 
than  HP  devices  tested 


respectively. 

When  engineers  tested  21  full-power  PoE  ports  on  the 
Nortel  ERS  4500  Series  and  the  Cisco  Catalyst 
3560G-48PS  and  3750G-48PS  switches,  they  found 
that  the  Cisco  devices,  on  average,  cost  $326  more 
on  a  per-port  basis. 


View  the  full  4548GT-PWR  report  at: 
http://www.nortel.  com/data 


Tests  reveal  HP  StorageWorks  8Gb  Simple 
SAN  C  lection  Kit  redefines  ease  of  SAN 

installation  and  boosts  I/O  performance 


A  February  2008  hands-on  evaluation  by  The  Tolly 
Group  finds  that  a  new  high-speed  Fibre  Channel  (FC) 
connection  kit  from  HP  will  vastly  simplify  deploy¬ 
ment  for  enterprise  and  SMB  users,  while  also 
dramatically  increasing  performance. 

The  storage  area  network  (SAN)  solution  is  anchored 
by  the  HP  StorageWorks  8Gb  Simple  SAN  Connection 
Manager  (SSCM),  which  uses  an  intuitive  wizard  to 
help  installers  walk  through  SAN  setup,  provisioning 
and  managing  a  SAN  in  almost  a  third  of  the  time 
required  to  piece  together  traditional  SAN  solutions. 
This  application  is  included  with  every  HP  switch. 

The  StorageWorks  8Gb  Simple  SAN  Connection  Kit 
combines  HP  StorageWorks  81 Q  PCI-e  FC  host  bus 
adapters  (HBA)  and  an  HP  StorageWorks  8/20q  FC 
switch,  based  upon  technology  OEMed  from  QLogic  to 
connect  to  either  the  HP  Enterprise  Virtual  Array  (EVA) 
or  Modular  Smart  Array  (MSA)  storage  systems. 

The  simplicity  delivered  by  the  HP  StorageWorks 
Simple  SAN  Connection  Kit  is  well  beyond  the 
installation  capabilities  provided  by  earlier  gen¬ 
eration  4Gb  SANs.  For  the  evaluation,  Tolly 
Group  engineers  compared  the  HP  SAN  solution 
to  a  4Gb  Fibre  Channel  SAN  solution  based  upon 
HP  servers,  a  4Gb  HBA,  an  HP  4Gb  switch,  and 
their  respective  management  applications. 


These  tests  showed  that  the  HP  8Gb  FC  solution 
required  only  33  steps  and  7  variables  to  install  the 
solution  compared  to  85  steps  (2.6X  more)  and  21 
variables  (3X  more)  for  the  older  SAN  solution.  This 
translates  into  fewer  human  errors  when  deploying 
the  HP  StorageWorks  kit.  This  also  helps  in  provision¬ 
ing  and  managing  storage  by  using  just  a  single  effi¬ 
cient  application,  the  HP  SSCM.  To  provide  a  bit  more 
context,  engineers  noted  that  when  using  the  SSCM 
on  average  a  SAN  installation  completed  in  15  to  20 
minutes.  With  the  85  steps  required  for  the  traditional 
SAN  solution,  engineers  needed  two  hours  for  the  first 
installation,  but  that  time  is  largely  dependent  on  the 
level  of  SAN  expertise  the  installer  can  offer. 

The  ease  of  deployment  is  attributed  to  the  single  man¬ 
agement  application  — the  StorageWorks  SSCM  — - 
that  is  used  for  each  component  (HBAs,  switches  and 
storage  targets),  rather  than  using  a  hodge  podge  of 
tools  to  configure  each  component  independently. 

On  the  performance  side,  the  HP  StorageWorks  8Gb 
SAN  solution  delivered  anywhere  from  31%  to  52% 


Simplified  Fibre  Channel  SAN 
installation  and  management  with 
single  management  pane 


Nearly  two  thirds  reduction  in 
deployment  steps  compar 
traditional  SAN  solutions 


•  Provides  one  third  the  number  of 
variables  to  complete  than  a  typical 
SAN  installation 


•  Delivers  up  to  51%  more  inf: 
outputs  per  second  and  50%  more 
throughput  (Mbps)  than  4Gb  Fibre 
Channel  solutions 

more  I/O  operations  per  second  than  the  older  4Gb 
SAN,  and  achieved  maximum  throughput  of  1,125 
Megabytes  per  second  (MB/s),  or  up  to  50%  more 
throughput  than  offered  on  the  4Gb  SAN  solution. 

If  ease  of  deployment  and  performance  is  not  enough 
justification,  pricing  for  the  StorageWorks  8Gb  SAN 
solution  is  comparable  to  prior-generation  4Gb 
solutions,  making  this  kit  that  much  more  enticing. 


View  the  full  report  at:  http://www.tolly.com/DocDetail.aspx?DocNumber=208276 

Throughput  Comparison  of  HP  StorageWorks  8Gb 
and  Traditional  4Gb  Fibre  Channel  SAN  Solutions 


Nortel  SMB  switches  demo  performance, 
offer  cost  advantages  over  rival  products 


Price  per  Gigabit  of  System  Capacity 

(Lower  bars  are  better) 


Nortel  2626-PWR  (J8164A)  Cisco  Catalyst  Express 

BES50GE-24T  pwr  Switches  under  test  soo  (WS-CE500-24PC) 

Note:  Devices  offered  different  numbers  and  types  of  ports.  This  calculation  provides  a  direct  comparison 
of  system  throughput  capacity  vs.  cost.  Based  on  U.S.  dollar  retail  price  without  service  contracts. 


•  BES50GE-24T  PWR  costs  less  than 
Cisco/HP  offerings  tested  when 
measured  on  a  per-port  or  a  per-system 
capacity  basis 

•  BES50GE  24T  PWR  offers  SfVlBs  key 
functions  such  as  QoS, ..VLANs,  ACLs 
and  PoE 

•  BES50GE  24T  PWR  exceeds  rival 
products  tested  in  terms  of  lower 
power  consumption  and  noise  level 

•  BES  Switch  Series  models  tested 
delivered  wire-speed  throughput 
across  all  ports  and  introduced  very 
low  levels  of  latency 

•  BES  Switch  Series  models  tested 
achieved  100%  of  VoIP  call  competion 
with  excellent  quality  voice  scores 


Two  tests  focusing  on  switching  products  for 
SMBs  reveal  that  Nortel's  Business  Ethernet 
Switch  (BES)  family  is  a  price/performance  leader 
over  switches  from  Cisco  and  HP  ProCurve. 

A  February  2008  Tolly  Group  report  finds  that  the 
Nortel  BES50GE-24T  PWR,  a  Gigabit  Ethernet 
LAN  switch  that  delivers  Power  over  Ethernet 
(PoE),  offers  a  better  combination  of  high-speed 
data  transfer  and  power  delivery  than  the  Cisco 
and  HP  switches  tested  and  it  costs  significantly 
less  than  the  rival  products. 

Buyers  of  the  Cisco  Catalyst  Express  500  and  HP 
ProCurve  2626-PWR  solutions  pay  $411  and 
$392,  respectively,  per  Gigabit  of  system  capacity, 
whereas  Nortel's  BES50GE  delivers  that  capacity 
at  a  cost  of  $38  —  up  to  11 X  less  per  Gigabit. 

If  users  instead  look  at  just  a  raw  "per-port"  price 
comparison  where  price  is  divided  by  port  count, 
the  Nortel  cost  of  $38  compares  favorably  against 
$70  and  $66  for  older  Fast  Ethernet  technology 
from  Cisco  and  HR 


Engineers  also  conducted  power  consumption  and 
noise  (Sound  Pressure  Level)  tests.  Results  show 
that  the  Nortel  BES50GE-24T  consumes  less 
power  and  generates  less  noise  than  the  HP 
switch,  and  matches  the  Cisco  switch. 

View  the  full  white  paper  at: 

http://www.tolly.com/DocDetail.aspx? 
DocNumber=20827 1 

A  September  2007  Tolly  Group  test  on  the  BES 
50/100/200/1000  models  shows  that  the  Nortel 
switches  achieve  wire-speed  performance  over 
all  ports  using  standard  Ethernet  frame  sizes 
and  port-to-port  forwarding.  In  addition,  the 
switches  introduce  very  low  latency  and  complete 
100%  of  voice  over  IP  (VoIP)  calls  with  excellent 
voice  quality. 

From  a  pure  performance  standpoint,  the  Nortel 
BES200  switch  demonstrated  8  Gbps  of  bidirec¬ 
tional  stack  throughput  (16  Gbps  of  total 
switching  capacity)  using  eight  10/100/1000 


Base-T  uplink  ports,  and  eight  10/100/100  Base-T 
stacking  ports  on  a  four-switch  stack.  This  pro¬ 
vides  an  easy-to-manage,  scalable  switch 
stack  with  up  to  eight  10/100/1000  Base-T 
uplink  ports,  192  10/100  Base-T  ports,  and  up 
to  96  dedicated  PoE  capable  ports  to  anchor 
SMB  networks  as  they  evolve. 

All  the  BES  switches  tested  also  exhibited  low 
standard  deviation  of  latency  —  less  than  10 
microseconds  (/[/sec)  —  for  the  standard 
Ethernet  frame  sizes  tested,  implying  that  the 
switches  provide  predictable  performance 
required  for  converged  applications  like  VoIP. 

The  BES  switches  also  demonstrated  support  for 
"toll-quality"  voice  and  100%  call  completion  rate 
while  handling  100  VoIP  calls.  The  mixture  of  line- 
rate  throughput,  low  standard  deviation  of  latency 
and  support  for  VoIP  traffic  shows  that  the  BES 
switches  are  very  capable  of  anchoring  SMB- 
class  networks. 


View  the  full  white  paper  at: 

http://www.tolly.com/DocDetail.aspx? 

DocNumber=207246 


Radware  OnDemand  Switches 

outperform  F5  Networks  platforms 
in  Layer  7  and  security  tests 


Radware  commissioned  The  Tolly  Group  to 
evaluate  its  OnDemand  Switch  product 
line,  an  application-aware  platform  targeting 
next-generation  application  requirements 
for  enterprise  and  service  provider 
customers.  The  new  product  line  offers 
scalable  throughput  of  more  than 
3.7  Gbps. 

Tests  show  that  the  OnDemand  Switch  2 
routinely  outperforms  the  BIG-IP  6800  and 
smaller  models,  during  both  Layer  7 
performance  and  security  tests.  Engineers 
measured  the  Layer  7  performance  of  all 
devices  tested  sending  a  single  HTTP  request 
per  connection  and  10  HTTP  requests  per 
connection  for  various  object  sizes. 


Layer  7  Average  Throughput  (10  HTTP  Requests) 
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The  OnDemand  Switch  2  handled 
348,096  transactions  per  second  (tps), 
for  an  average  throughput  of  1.76  Gbps 
and  average  response  time  of  0.032 
milliseconds  (msec)  when  handling  128- 
byte  objects  and  10  HTTP  requests  per 
connection.  At  larger  packet  sizes  of  4-KB, 
the  OnDemand  Switch  2  achieved  through¬ 
put  of  3.72  Gbps  and  processed  99,491 
transactions  with  an  average  response 
time  of  1.65  msec. 


m  L,f  " 


By  contrast,  F5’s  BIG-IP  6800  was  only  able 
to  attain  283  Mbps  of  throughput  and  process 
53,953  tps  with  a  response  time  of  3.88  ms 
when  handling  128-byte  packets  and  10 
HTTP  requests  per  connection.  That  repre¬ 
sents  6X  less  throughput  compared  to 
the  OnDemand  Switch  2  for  6.5X  fewer  trans¬ 
actions  served.  At  larger  packet  sizes  of  4  KB, 
the  F5  platform  achieved  a  throughput  of  1 .47 
Gbps  and  processed  38,766  transactions  with 
an  average  response  time  of  5.88  ms,  more 
than  3X  slower  than  the  Radware  switches. 

From  a  security  standpoint,  the  OnDemand 
Switch  2  under  a  DDoS  event  of  10,000 


unique  attackers  mitigated  783,000  ICMP 
attack  packets  with  a  response  time  of 
4.01  ms  while  holding  a  sustained  through¬ 
put  of  1  Gbps.  The  BIG-IP  6800,  by  con¬ 
trast,  managed  to  handle  only  a  maximum 
of  400,000  ICMP  attack  packets  with  a 
response  time  of  23.46  ms,  6X  slower  than 
the  OnDemand  switches. 

The  same  advantage  held  true  in  a  simulated 
DDoS  SYN  attack  scenario.  The  OnDemand 
Switch  2  with  a  baseline  of  1  Gbps  handled  a 
maximum  of  500,000  SYN  attack  packets. 
The  BIG-IP  6800  under  the  same  conditions 
managed  to  handle  only  300,000  SYN  packets. 


Exhibits  over  348K  Layer  7  tps  —  more  than  5X  the  transactions  handled  by 


Delivers  over  3.5  Gbps  of  throughput  when  handling  10  HTTP  trar 
connection  and  object  sizes  of  f-KB  to  512  KB,  while  F5’s 
maximum  throughput  of  2.47  Gbps 


nd  SYN  attac 


Combats  I 


performance  degradation  while  processing  up  to  498/b 
BIG-IP  devices  tested,  which  degraded  at  lower  thres 


View  the  full  report  at: 
http://www.tolly.com/DocDetail.aspx7DocNumber~208285 
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Tests  highlight  security  prowess  of 

NetClarity  EasyNAC  appliances 
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•  Protects  networks  with  sophisticated  features  including  client  less  network  admission  control  (Easyl\IAC) 

•  Delivers  MITRE  CVE  certified,  compliance  driven,  proactive  vulnerability  management  using  hardened  appliances  i 

•  Generates  vulnerability  management  and  regulatory  compliance  reports  in  PDF,  CSV,  HTML,  SYSLOG  and  XML  formats 

ffers  simplified  workflow,  policy  and  remediation  tools  with  user  level  access  control  ;  /  \  \  - 

•  Provides  dynamic,  user  controlled  alerts  on  trusted  and  untrusted  network  assets  using  E-mail,  SMS  cell  phone  paging 
and  SNMP  traps 


NetClarity  EasyNAC  Enterprise,  EasyNAC  Branch  and  Endpoint  Defender 

Salient  Feature  Summary 
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Asset  discovery  and  classification 

MIA  , 

Asset  inventory  monitoring  and  alerts 

■ 

4  N'A  £ 

‘On  demand*  and  'scheduled*  asset  audits  across 
multiple  IP  subnetworks 

<✓ 

N/A 

Regulatory  compliance  reports 

(in  PDF,  CSV,  XML,  HTML,  SYSLOG  formats) 

V 

V 
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Dynamic  endpoint  quarantine  using  firewall  and  smart 
switch  integration  (when  using  supported  firewall/smart 
switch  hardware) 

V 

V* 

Automatic  Vulnerability  Signatures  and/or  Software  Updates 

,  v 

. . 

y 

PCI  Security  Standards  Council-approved  scanning  equipment 

V 

■ 

Real-time  protection  against  malware,  trojans,  viruses  etc, 

„  m- 

N/A 

i  m 

Real-time  'anomaly-based*  detection  and  protection 
against  zero-day  attacks 

mia 

UMA 

y 

NetClarity  Inc.  commissioned  The  Tolly  Group 
to  evaluate  its  EasyNAC  Enterprise™,  EasyNAC 
Branch™  appliances  and  Endpoint  Defender™ 
software  in  terms  of  security  vulnerability 
management,  Network  Admission  Control  (NAC) 
and  endpoint  security  features. 

Tolly  Group  engineers  examined  NetClarity's 
EasyNAC  Enterprise  and  EasyNAC  Branch 
vulnerability  management  appliances  and 
Endpoint  Defender  endpoint  security  solution 
and  determined  that  it  delivers  effective 
security  through  proactively  discovering 
and  managing  common  vulnerabilities  and 
exposures  (CVEs),  and  providing  network 
admission  control,  remediation  workflow 
and  regulatory  compliance  audit  tools  in  an 
easy  to  deploy  and  easy  to  manage  solution. 


EasyNAC  Enterprise  appliance  was  configured 
to  audit  network  assets  to  identify  CVEs, 
quarantine  untrusted  or  malicious  assets, 
and  provided  remediation  and  workflow 
scheduling  tools. 

The  Tolly  Group's  hands-on  examination  found 
that  the  EasyNAC  Branch  appliance  provided 
the  same  functionality  in  a  smaller  appliance 
for  branch  office  networks.  It  was  also  tested 
for  remote  monitoring  using  the  same  manage¬ 
ment  interface  as  the  EasyNAC  Enterprise, 
allowing  for  correlation  of  audit  data  across 
the  whole  network. 

Both  EasyNAC  products  were  verified  for  their 
support  of  popular  firewalls  from  Juniper 
NetScreen,  Secure  Computing,  Checkpoint 
Technologies,  and  Cisco  Systems. 


Endpoint  Defender  software  running  on 
endpoints  was  tested  to  provide  real-time 
Host-based  Intrusion  Prevention  (HIPS) 
against  common  viruses  and  trojans  such  as 
Bugbear,  Sasser,  Keylogger  and  zero-day 
attacks.  Engineers  also  verified  that  the 
Endpoint  Defender  software  guards  against 
data  leakage  related  to  removable  storage 
media,  including  USB,  floppy,  CD  and  DVD- 
based  media. 

Finally,  tests  show  that  the  software  con¬ 
sumes  few  system  resources  when  idle  and 
even  during  an  attack.  And  it  could  not  be 
disabled  or  bypassed  by  killing  the  Endpoint 
Defender  process  while  the  OS  is  running, 
thus  providing  continuous  protection 
against  attacks. 

For  more  info  on  this  test,  visit: 
http://www.  tol/y.  com/DocDetail.  aspx  ? 

DocNumber=  208294 
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Fujitsu  XG2000  switch  attains  lOGbE 

throughput,  ultra-low  latency  in 

performance  tests 


Fujitsu  XG2000  Layer  2  Zero-Loss  Throughput  Across  20 

lOGbE  Ports  in  a  Full-Mesh  Configuration 

As  Reported  by  Spirent  TestCenter  Application  1.21 

100%  100%  100%  100%  100%  100%  100%  100%  100%  100%  100%  100%  100%  100%  100%  100% 


A  recent  Tolly  Group  test  found  that  Fujitsu's 
XG2000  20-port  10  Gigabit  Ethernet  (lOGbE) 
switch  combines  ultra-low  latency  with  high 
lOGbE  performance  to  link  directly  to 
lOGbE-capable  servers  as  a  high-speed 
interconnect. 

The  hands-on  test,  commissioned  by  Fujitsu, 
also  found  that  the  XG2000  delivers  the  ultra 
low-latency  needed  for  high  performance 
cluster  computing  —  traditionally  the 
domain  of  Infiniband  and  other  proprietary 
technologies. 

By  offering  ultra-low  latency  in  an  Ethernet 
switch,  the  same  personnel  that  run  the 
existing  Ethernet  network  can  extend  those 
skills  to  support  lOGbE  without  additional 
investment  or  training  that  may  be  required 
for  "non-traditional"  technologies,  such  as 
Infiniband. 


In  Layer  2  forwarding  performance  tests, 
the  XG2000  achieved  line-rate  zero-loss 
throughput  for  all  14  frame  sizes  tested  — 
ranging  from  64  bytes  to  16,128  bytes. 
Line-rate  performance  was  realized  for  both 
a  lOGbE,  20-port  full-mesh  scenario,  and  a 
20-port  snake  configuration.  Even  when 
handling  an  Internet  traffic  mix  (64,  78, 
576  and  1,500  bytes),  the  XG2000  achieved 
line-rate  throughput.  Out  of  6,067,080,940 
frames  of  Internet-mix  traffic  transmitted,  the 
XG2000  did  not  drop  a  single  frame. 

From  a  frame  forwarding  perspective,  the 
XG2000  forwarded  the  theoretical  maximum 
of  14,880,952  64-byte  frames  per  second 
for  each  port,  812,743  frames  at  1,518- 
byte  frames  per  second,  and  77,407  frames 
per  second  when  tested  with  the  maximum 
frame  size  of  16,128  bytes. 


•  Achieves  100%  of  line-rate  zero  loss 
lOGbE  throughput  when  tested 
across  20  full-mesh  ports,  when 


nanaung  rrame  sizes  ranging 
64  bytes  to  16,128  bytes 


■eitj 
line  rate 
tested 
sizes  in 


Demonstrates  ultra-low  latency, 
just  339  ~  363  nanoseconds  (XFP 
transceiver  latency  included) 
across  frame  sizes  ranging  from  64 
bytes  to  16,128  bytes  at  100% 
load  in  a  full  snake  configuration 


339  nanoseconds  (XFP  transceiver  latency 
included)  with  16,128-byte  frames  to  359 
nanoseconds  with  64-byte  frames,  or  341 
nanoseconds  on  average  across  the  14 
frame  sizes  tested.  When  handling  an 
Internet  mix  of  traffic,  latency  introduced 
by  the  switch  was  just  363  nanoseconds 
(XFP  transceiver  latency  included).  This 
proves  that  XG2000  consistently  provides 
ultra-low  latency  regardless  of  the  frame  size. 


View  the  full  test  summary  at: 
httpJ/www.tolly.com/DocDetail.aspx?DocNumber= 208281 


Sponsor:  Fujitsu  Computer  Products  of  \ 
America,  Inc. 

Product  class: 

•  lOGbE  core  network,  data  center 
switch 


Testing  window:  July  2007 


On  the  latency  front,  the  XG2000 


CHICAGO  WEDNESDAY,  APRIL  2,  2008 

ATTEND  FREE!  www.networkworld.com/RM8CA3 
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Join  Us  for  IT's  Indispensable  1 -Day  Event! 


IT's  #1  Destination  for  10  Critical  Topics 

1.  Virtualization 

2.  Enterprise  Mobility 

3.  Network  Management,  Automation  &  Control 

4.  Network  &  Application  Acceleration 

5.  NAC:  Network  Access  Control 

6.  Data  Center  Infrastructure  and  Management 

7.  Security  and  Compliance 

8.  VoIP,  Collaboration  &  Unified  Communications 

9.  Next-Generation  WAN  Services 

10.  Web  2.0  in  the  Enterprise 


NETWORK  WORLD’S  IT  ROADMAP  IS 
COMING  BACK  TO  CHICAGO. 

The  premiere  1-day  event  that  moves  as  fast 
as  the  technology  it  covers.  Be  here  for  the 
10  most-challenging  topics  in  technology. 
Surrounded  by  a  private  expo  with  ready-to-roll 
solutions  enterprise-wide.  Join  us  as  we  bring 
together  IT’s  brightest  analysts,  best  vendors, 
and  most-innovative  users  to  give  you  a  year’s 
worth  of  insights  and  advancements  on  issues 
that  weren’t  even  opportunities  12  months  ago. 

QUALIFIED  ITR  ALUMNI  -  YOU’RE  PRE  APPROVED! 


Go  from  0-to-60  solutions  on  10  of  IT’s  fastest  tracks. 

The  information  is  rich.  The  technology  is  deep.  And  the  focus  is  on  results  in 
every  corner  of  your  enterprise. 


Threat-eliminating  security  for 
decentralized  nets 
Blueprint  of  the  new  data  center 
Architecture  for  big-picture  wireless 
Four  stages  of  smart-solution  NAC 
Optimization  secrets  of  app 
acceleration 


Knock-knock-knocking  on  NOC’s 
expanded  role 

Ethernet  unleashed  in  the  WAN 
Virtualization  for  thin-client  desktops 
Clarity  amidst  the  UC  confusion 
Remote  and  mobile  VoIP  build  outs 
Plus  dozens  more  solutions! 


It’s  the  essential  IT  event  where  you  can  bring  your  entire  team,  cover  it  all, 
and  take  away  technology’s  most  effective  solutions  in  just  one  day.  So 
register  now.  Save  the  date.  And  join  us  as  IT  Roadmap  rolls  into  Chicago. 

QUALIFY  TO  ATTEND  FREE 

www.networkworld.com/RIVI8CA3  1  -800-643-4668 
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Want  to  see  your  name  added  to  this  list?  Call  Andrea  D’Amato  at  508/490-6520  or  adamato@nww.com  to  learn  about  sponsorship  opportunities  and  benefits! 


CLEAR  CHOICE  TEST  VOIP  MANAGEMENT 


VoIP  monitoring  tools  mature  with 
addition  of  troubleshooting  tools 

In  a  very  close  race,  Touchstone’s  WinEyeQ  edges  out  the  competition 

BY  ROB  SMITHERS,  NETWORK  WORLD  LAB  ALLIANCE 


The  five  tools  we  reviewed  dig  deep  into  VoIP  networks  to  root  out  the 
causes  of  problems  and  provide  network  administrators  with  easy-to- 
understand,  graphical  displays  of  VoIP  activity 

In  past  reviews  (www.nwciocfinder.com/3921),  we  focused  on  the 
ability  of  these  products  to  give  network  administrators  insight  into  their 
company’s  VoIP  networks.  This  time  around,  we  wanted  these  products 
to  help  diagnose  and  repair  the  VoIP  problems  they  see.  Specifically  we 
looked  for  proof  that  they  accurately  isolate  the  problematic  VoIP  calls 
and  allow  for  proactive  management  of  the  VoIP  streams. 

Products  from  ClearSight  Networks,  Codima  Technologies,  JDS 
Uniphase  (JDSU),WildPackets  and  Touchstone  Technologies  were  test¬ 
ed  by  Miercom  engineers  in  their  central  New  Jersey  lab.  (For  a  full  list¬ 
ing  of  available  VoIP  monitoring  tools,  see  our  Buyer’s  Guide  at 
www.nwdocfinder.com/1 103.)  Testing  focused  on  six  categories:  setup, 
configuration  and  deployment;  display  and  interface;  real-time  moni¬ 
toring;  diagnostics  and  troubleshooting;  reporting,  alerts  and  triggers; 
and  advanced  features. 

Some  of  those  advanced  features  include  extensive  codec  support; 
Perceptual  Evaluation  of  Speech  Quality  analysis  for  testing  networks;  re¬ 
factor  correlation;  the  ability  to  measure  video  quality; special  provisions 
for  analyzing  voice  over  Wi-Fi;  and  simultaneous  multisegment  analysis. 

All  the  products  tested  support  Session  Initiation  Protocol  (SIP)  and 
can  be  used  in  multivendor  environments.  Codima’s  product  did  have 
a  tighter  integration  for  monitoring  Avaya’s  VoIP  because  Codima’s  first 
deployments  were  rooted  in  Avaya  deployments. 

They  differed  primarily  in  how  accurately  they  assessed  the  voice 
quality  of  degraded  calls,  how  well  they  provided  expert  advice  —  the 
meaning  of  the  error  or  logged  event,  suggestions  on  how  to  fix  it,  and 
what  else  to  look  for  in  the  network  related  to  the  problem  —  and  how 
many  VoIP-specific  alerts  and  other  criteria  they  monitored. 

Most  products  could  inject  or  replay  traffic.  Being  able  to  replay  the 
audio  stream  and  hear  for  yourself  what  the  suspected  bad  VoIP  call 


sounded  like,  offers  a  reality  check  to  troubleshooting  when  it’s  cou¬ 
pled  with  mean  opinion  score  (MOS)  and  R-factor  scores.  (MOS  is  a 
voice-quality  rating  that  ranges  from  1.0  [worst]  to  5.0  [best] .)  As  a  side 
benefit,  this  feature  allows  you  to  apply  traffic  back  on  the  network  for 
limited  stress  testing,  predeployment-site-survey  purposes  or  other,  more 
involved  troubleshooting  tests  of  the  underlying  network  hardware  in 
the  converged  network. 

In  general,  the  products  we  tested  offered  more  accurate  voice-quali¬ 
ty  measurement  than  past  versions  did,  made  it  more  possible  to  drill 
down  and  see  specific  call  detail  and  measurement  data  while  allow¬ 
ing  managers  to  monitor  a  greater  aggregate  of  trunks  or  call  groups, 
and  included  more-advanced  troubleshooting  abilities  and  better 
expert  advice  on  where  to  look  for  a  fault  and  how  to  interpret  the 
alerts  or  warnings. 

However,  the  products  all  seemed  unable  to  provide  trend-analysis 
data  beyond  a  week.  Most  vendors  seem  to  be  moving  toward  integra¬ 
tion  with  third-party  trend  analysis  tools  to  digest  the  huge  amount  of 
data  these  VoIP  monitoring  tolls  generate  in  real  time  over  time. 

This  one  is  really  almost  too  close  to  call,  because  there  is  only  a  .32 
difference  (on  a  five-point  scale)  between  the  highest-  and  the  lowest- 
scoring  product  in  this  test. 

Touchstone’s  WinEyeQ  provides  the  most  accurate  VoIP  statistics  and 
voice-quality  assessment  in  real  time  and  very  narrowly  wins  our  Clear 
Choice  Award.  It  served  up  details  on  just  about  every  converged  net¬ 
work  problem  we  threw  at  it.  From  SIP  proxy-setup  problems  to  under¬ 
lying  network  problems,  we  could  easily  isolate  and  see  to  a  gnat’s  eye- 
level  of  engineering  detail  what  the  problem  was. 

ClearSight  Distributed  offered  a  very  complete,  rich  set  of  features  for 
managing  networks, VoIP  and  beyond.  It  was  best  at  isolating  faults  in 
our  VoIP  network  and  troubleshooting  more  than  a  dozen  common 
converged-network  problems. 

JDSU’s  PVA-1000  is  a  very  cost-effective,  distributable  VoIP  analysis  and 


NETRESULTS 


Product 

Vendor 

Price* 

Pros 

Cons 

Score 


WinEyeQ  Professional 

Touchstone  Technologies 
www.touchstone-inc.com 

$20,000 

Highly  scalable;  effective  and 
detailed  interface;  very  accurate 
VolP-quality  assessment 


Online  help  not  context  sensitive;  no 
data-post-capture  analysis;  no  expert 
commentator. 

4.05 


ClearSight  Analyzer 
Distributed  6.1.6 

ClearSight  Networks 
www.clearsightnet.com 

$20,000 

Excellent  remote-management 
ability;  intuitive  drill-down  inter¬ 
face;  excellent  real-time  voice  and 
video  monitoring. 

Online  help  not  context  sensitive; 
no  expert  commentator;  unable  to 
set  up  thresholds  for  many  of  the 
alerts. 

3.92 


PVA-1000 

JDS  Unisphere 
www.jdsu.com 

$8,000 

Great  interfaces  and  navigability; 
good  alerting  capabilities;  interop¬ 
erability  with  third-party  capture 
agents;  strong  voice-quality  statis¬ 
tics  and  playback  features. 

No  expert  commentator;  difficult  to 
distribute  updates  to  remote  agents 
(via  FTP);  real-time  graphical  display 
for  voice  quality  limited. 

3.88 
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management  tool.  Strength  in  protocol  analysis  and  decoding  ability, 
which  are  where  JDSU’s  roots  lie  evident.The  $8,000  complete  package 
is  impressive,  with  its  unlimited-distribution  client  and  ability  to  put  a 
“click  here”  interface  for  desktop  users  to  track  bad  VoIP  calls. 

WildPackets’  OmniPeek  Enterprise  went  beyond  VoIP  as  well,  and 
included  e-mail  and  instant-messaging-rebuild  replay  capabilities.  It 
also  featured  an  expert  commentator  to  help  troubleshoot  problems 
detected  on  the  VoIP  network. 

Codima  Toolbox’s  autopopulating  graphical  interface  was  the  most 
intuitive.  Endpoint  IP  phones  appear  as  individual  icons  that  allow  for 
easy  drill-down  for  call  statistics.  We  give  it  outstanding  marks  for  ease 
of  use  and  its  network-autodiscovery  capabilities. 

Although  we  encountered  an  occasional  hiccup,  a  few  minor  glitch¬ 
es  and  some  petty  shortcomings,  we  by  and  large  were  impressed  with 
all  five  VoIP-analysis  tools,  and  would  have  no  reservations  recom¬ 
mending  any  of  them. 

Touchstone  Technologies  is  spot-on  with  VoIP  monitoring 

The  first  fundamental  requirement  of  any  VoIP  analysis  and  trou¬ 
bleshooting  tool  is  that  it  report  accurate  information  while  monitoring 
a  network.The  four  basic  measurements  —  voice  quality  latency  pack¬ 
et  loss  and  jitter — are  key  metrics  that  must  be  assessed  accurately  and 
in  real  time.The  key  differentiator  in  this  round  of  testing  was  the  accu¬ 
racy  of  the  tools  in  measuring  these  four  metrics. 

The  second  fundamental  requirement  of  any  VoIP  analysis  and  trou¬ 
bleshooting  tool  is  usability  If  it  is  difficult  to  set  up,  if  the  configuration 
challenges  even  experienced  VoIP  engineers,  if  it  cannot  be  configured 
to  scale  with  the  environment  it  is  designed  to  monitor,  the  requirement 
for  accuracy  doesn’t  really  matter. 

Touchstone’s  WinEyeQ  came  out  on  top  in  our  testing  based  on  how 
well  it  nailed  these  two  fundamentals.  WinEyeQ  has  a  clean,  intuitive 
interface  that  is  very  effective  whether  it’s  watching  one  call  or  thou- 
sands.There  are  no  worries  about  IT  administrators  or  other  computer- 
savvy  operators  not  being  able  to  deploy  and  use  this  product. 

As  for  accuracy,  WinEyeQ  also  provided  the  most  precise  voice- 
quality  and  network-operations  statistics  of  all  the  products  tested;  it 
came  closest  in  pinpointing  actual  MOS,  R-factor  and  jitter  condi¬ 
tions.  WinEyeQ  was  always  within  0.1  of  the  “actual”  MOS  rating  for 
voice  quality,  and  within  10%  for  jitter  and  latency  measurements.  It 
did  so  on  the  first  attempt,  whereas  most  of  the  other  products 
required  extensive  tuning  to  detect  our  network’s  problems  accu¬ 
rately  WildPackets’ OmniPeek  Enterprise  was  the  closest  to  WinEyeQ’s 
benchmark,  coming  within  0.2  of  the  rated  MOS  expected,  but  it  was 


not  consistently  accurate. 

Ten  of  the  24  network-troubleshooting  tasks  we  challenged  the  ven¬ 
dors  to  detect  and  react  to  depended  on  measuring  voice  quality.  All  of 
the  products  tested  could  detect  these  problems  and  were  capable  of 
assessing  voice  quality,  but  WinEyeQ’s  greater  accuracy  in  measuring 
made  for  more  accurate  reporting  of  events, and  alarms  and  fewer  false¬ 
positive  notifications  when  it  assessed  the  network.This  is  important  not 
only  when  it  comes  to  finding  problems  but  also  in  terms  of  preventing 
unnecessary  work  on  the  part  of  a  VoIP  administrator.  If  a  VoIP  analysis 
tool  inaccurately  senses  a  problem  —  perhaps  too  much  jitter  —  it  can 
trigger  a  domino  effect  of  other  false  alarms.  We  believe  WinEyeQ’s 
spot-on  performance  has  much  to  do  with  the  fact  that  it  was  designed 
from  the  ground  up  as  a  VoIP  analysis  and  monitoring  tool. 

Despite  its  ability  to  hit  even  the  tiniest  VoIP-network  detail  squarely 
on  the  head,  when  it  comes  to  identifying  the  problems  to  which  those 
details  correlate, WinEyeQ’s  interface  design  is  clean  and  simple.There’s 
some  unnecessary  glitz,  but  it  provides  everything  you  need  to  dig  into 
to  do  packet-level  analysis  for  VoIP  and  video  transmissions  in  order  to 
isolate,  verify  and  troubleshoot  a  problem.  The  interface’s  efficiency 
organizational  structure  and  consistency  are  a  notable  improvement 
from  the  last  time  we  tested  this  product. 

The  product  provides  significant  drill-down  capability,  letting  network 
administrators  precisely  locate  the  sources  of  VoIP  problems  and  make 
the  adjustments  needed  to  improve  or  preserve  quality.  It  also  provides 
a  call-by-call  report  card  and  stream-quality  indexes.  Together  these 
elements  let  administrators  quickly  find  poor-quality  calls  and  help 
explain  the  reasons  behind  performance  problems.  For  example,  we 
were  able  to  isolate  the  one  bad  call  out  of  a  hundred  calls  placed  dur¬ 
ing  one  test  scenario. 

WinEyeQ  proved  capable  of  analyzing  and  providing  excellent  report¬ 
ing  on  as  many  as  1,000  simultaneous  calls,  and  its  alarms  were  not  only 
accurate  but  also  issued  in  real  time  and  often  more  quickly  than  the 
alarms  provided  by  some  of  the  other  products  we  tested.  It  was  quickest 
—  its  response  was  almost  immediate,  for  example,  in  our  network-trou¬ 
bleshooting  tasks  —  to  detect  an  unresponsive  SIP  registration  server. 

WinEyeQ  is  available  in  configurations  ranging  from  carrier-grade, 
customer-premises  distributed  systems  to  stand-alone  analysis  tools.  In 
this  test,  we  worked  with  the  WinEyeQ  Professional  version,  which  can 
function  as  a  stand-alone  analyzer  or  a  distributed  probe  within  an 
entire  VoIP  system.  We  installed  it  on  a  span  port  on  a  managed  switch, 
a  typical  installation  scenario  for  a  small  organization.  For  larger  orga¬ 
nizations,  Touchstone  recommends  plugging  WinEyeQ  into  a  mirrored 
port  or  using  a  line  tap  to  guarantee  perfect  measurements  and  com- 


QmniPeek  Enterprise  5.0 

WildPackets 

www.wildpackets.com 

$28,500 

Good  interface-customization  capability; 
extensive  plug-ins  available  for  IM  and  e-mail; 
full-duplex  conversation  playback;  helpful 
expert  commentator  for  troubleshooting  VoIP 
networks. 

Online  help  not  context  sensitive;  no  granular¬ 
ity  for  SNMP  traps;  voluminous  reporting 
could  be  simplified. 


3.88 


Codima  Toolbox  5.1  with  autoVolP 

Codima  Technologies 
www.codimatech.com 

$29,000 

Integrated  Microsoft  Visio  network-topology  map;  expert 
correlation  engine  provides  troubleshooting  guidance; 
easiest-to-use  GUI  with  autopopulating  drill-down  icons 
for  IP  phones  and  VoIP  connections. 

Some  interface  bugs  and  glitches  encountered;  autodis¬ 
covery  of  network  devices  required, which  can  limit  trou¬ 
bleshooting;  troubleshooting-analysis-grid  feature  not 
intuitive;  call  voice-quality  assessment  off  about  0.5  MOS 

3.73 


Vendor-suggested  list 
price  $USD  based  on 
five-site  deployment 
based  on  two  DS-3 
and  twoT-1  WAN -con¬ 
nected  locations  with  a 
central  site  monitor. 

No  limit  on  number  of 
users  or  monitored 
calls,  but  pricing  limit¬ 
ed  to  the  necessary 
components  for  four 
distributed  probes  or 
agents  and  one  central 
monitor. 
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SCORECARD 


Action 

Setup  config 
&  deployment 

Real-time 

monitoring 

Diagnostics  and 
troubleshooting 

Reporting 

Display  and 
interface 

Advanced 

features 

Total 

Weighting 

20% 

20% 

20% 

20% 

10% 

10% 

Touchstone 

4.6 

4.2 

3.8 

3.5 

3.9 

4.4 

4.05 

ClearSight 

4.3 

3.3 

4.0 

3.5 

4.5 

4.5 

3.92 

JDSU 

4.6 

3.5 

3.7 

3.4 

4.0 

4.4 

3.88 

WildPackets 

4.2 

3.8 

4.1 

3.3 

4.0 

4.0 

3.88 

Codima 

3.9 

3.2 

3.8 

3.5 

4.0 

4.5 

3.73 

Scoring  key:  5:  Exceptional;  4:  Very  good;  3:  Average;  2:  Below  average;  1:  Subpar  or  not  available. 

plete  fault-tolerance.  WinEyeQ  also  can  be 
deployed  in  a  distributed  fashion,  and  for  that 
the  company  offers  a  Web-based  GUI  and 
management  framework  that  lets  you  poll 
those  distributed  probes,  as  well  as  push  out 
software  updates  to  them. 

WinEyeQ  provides  analysis  of  standards- 
based  voice  and  video  protocols,  including  SIP 
H.323,  Media  Gateway  Control  Protocol 
(MGCP)  and  Megaco.  It  analyzes  Real-time 
Transport  Protocol  (RTP)  audio  and  video 
streams,  and  Real-time  Transport  Control 
(RTCP)  and  RTCP  XR  calls,  regardless  of  the 
protocol  used  to  establish  the  calls.  Because  the 
product  focuses  on  VoIP  there  is  no  in-depth 


analysis  of  data  from  other  data  protocols, 
unlike  most  other  vendors’  wares.  It  handles 
about  650  metrics  per  call,  while  many  other 
products  provide  significantly  less  coverage. 

WinEyeQ  offers  a  wide  range  of  preformat¬ 
ted  reports,  including  call,  error,  watch,  ses¬ 
sion,  alert,  alarm  and  endpoint  summaries. 

WinEyeQ  came  up  short  in  a  couple  of  areas. 
It  lacked  the  expert  commentator  ability  that 
other  vendors,  such  as  WildPackets  and 
Codima,  provided  for  their  tools.  The  network 
conditions  for  which  we  were  seeking  assis¬ 
tance  in  troubleshooting  were  detected,  but  no 
advice  was  provided  on  what  we  should  do  or 
otherwise  check  to  further  troubleshoot  the 


problem. 

Also,  context-sensitive  help  was  lacking,  and 
certain  items  —  such  as  those  in  the  file  menu 
—  were  somewhat  context  sensitive  but  not  in 
the  sense  that  we  expected.  However,  using 
the  FI  key  in  some  areas  sends  the  user  to  the 
correct  area  in  the  Help  menu. 

ClearSight  Analyzer  serves  up  clear  view 
of  VoIP  activity 

ClearSight’s  Analyzer  can  be  deployed  on  its 
own  or  paired  with  remote-agent  software 
available  in  its  ClearSight  Analyzer  Distributed 
package.  We  tested  ClearSight  Analyzer 
Distributed  6.1.6,  which  supports  most  VoIP 
protocols,  including  SIR  H.323,  Cisco’s  Skinny 
Client  Control  Protocol  (SCCP),MGCRMegaco 
and  Real  Time  Streaming  Protocol  (RTSP). 

As  in  the  previous  incarnations  of  Analyzer, 
the  latest  version  stands  out  for  its  intuitive 
and  comprehensive  display  of  network  activi¬ 
ty  Analyzer  Distributed  offers  a  multisegment 
ladder  diagram,  which  gives  quick  insight  into 
VoIP  network  activity  illustrating  both  sides  of 
a  call.The  ladder  diagram  also  can  pull  togeth¬ 
er  data  collected  on  different  network  seg¬ 
ments  to  provide  a  complete  illustration  of  a 
voice  or  data  dialog,  from  the  client  through 
the  infrastructure  to  the  server  and  back. 

Consistent  color  codes  —  red  for  trouble, yel¬ 
low  for  suspected  problems,  and  blue  or  green 
for  normal  conditions  —  are  used  throughout. 
All  alerts  and  thresholds  are  configurable,  but 
the  defaults  were  effective  at  identifying  what 
is  critical  —  red  —  and  less  severe  —  yellow. 
While  testing  the  product’s  diagnostic  capabil¬ 
ities,  we  observed  how  problems,  such  as  low- 
level  packet  loss  and  slightly  degraded  voice 
call  quality  accurately  triggered  appropriate 
warnings  (yellow  in  this  case). 

Red  warnings  on  the  ladder  diagram  indicat¬ 
ed  more  serious  problems, such  as  an  unreach¬ 
able  SIP  registrar,  which  would  prevent  an  IP 
phone  from  establishing  an  initial  setup  on  the 
network.  In  addition,  severely  degraded  VoIP 
calls  (to  the  point  we  set  at  3.0  MOS  or  lower) 
triggered  severe  alarms  and  necessitated  a 
notation  in  the  events  reporting  log. 

See  VoIP,  page  40 
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Touchstone’s  WinEyeQ  analyzer  data  scope  provides  a  top-down  view  for  detailed 
VoIP  analysis  and  monitoring,  with  overall  network  traffic  patterns  sorted  by 
protocol,  packets  and  bandwidth.  The  interface  also  depicts  details  about  active 
and  passed  or  failed  calls  for  each  VoIP  protocol. 
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Top-to-Bottom  Reporting 


■■■■■■ 


Top-Floor  Reports,  First-Floor  Detail. 

Report  network  wide  without  sacrificing  granularity,  with  the  new 
Observer  Reporting  Server.  Report  by  department  or  function  to  see  how 
problems  impact  your  business.  Plan  better  with  custom  reports  and 
trending.  Drill  into  individual  links  or  user  data  and  interface  flawlessly  with 
Observer*  and  GigaStor'"  for  back-in-time  analysis  and  rapid  resolution. 
Enterprise-wide  reporting  with  drill-down  detail:  now  you  can  have  it  both  ways. 

Bil 

— 1  Don't  just  report:  Resolve. 
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INSTRUMENTS 


For  more  information,  call  800-526-5958 
www.Networklnstruments.com/resoive 
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Analyzer’s  ability  to  piece  together  views 
of  the  test  network’s  different  segments, 
clearly  show  the  completed  dialog,  and  iso¬ 
late  a  fault  in  our  troubleshooting  exercise, 
contributed  to  its  top  diagnostics-and-trou- 
bleshooting  rating. 

We’ve  always  liked  Analyzer’s  drill-down 
capabilities.  Users  can  easily  explore  from 
high-level  application  parameters  all  the  way 
down  to  packet  decodes.  We  clicked  on  a  SIP 
call  we  were  monitoring,  and  from  there  bur¬ 
rowed  down  through  statistics  screens  for  the 
call,  including  details  on  quality  and  call- 
setup.  We  even  could  get  to  the  capture  buffer 
that  showed  a  packet  capture  trace  of  the 
transaction. 

The  ClearSight  tool  detects  in  real  time  TCP/IP 
and  application  anomalies,  and  offers  config¬ 
urable,  periodic  (ours  was  15  seconds)  snap¬ 
shots  of  the  network.  It  lets  network  administra¬ 
tors  rapidly  determine  the  sources  of  problems 
and  make  changes  without  capturing, stopping, 
recapturing,  then  recomparing  data. 

We  used  the  Distributed  capture  and  a  trans- 
action-reassembly  feature  of  Analyzer  to  piece 
together  the  clues  —  a  misconfigured  Layer  3 
switch  and  an  overloaded  WAN  link  —  of  a 
compound  network  anomaly  that  was  impair¬ 
ing  voice  calls.  As  many  as  four  flows  from  dif¬ 
ferent  network  locations  can  be  merged  and 
displayed  together,  a  feature  we  found  to  be 
helpful  for  rebuilding  conversations  and  spot¬ 
ting  seemingly  unrelated  activities  that  don’t 
automatically  appear  in  the  flow. 

Bottlenecks  can  be  discovered  in  real  time 
automatically  or  manually  through  the  use  of 
the  network-address-translation  wizard. 
Analyzer  employs  graphical,  Boolean  filtering 
that  uses  logic  and  algebraic  processes  to  sim¬ 
plify  fault  isolation  and  troubleshooting.  This 
capability  is  unique,  and  very  helpful  in  that 
events  could  be  filtered  and  alarms  triggered 
using  compound  expressions  for  events,  rather 
than  being  triggered  by  a  single  event-thresh¬ 
old  setting.  For  example,  we  set  a  compound 
event  to  be  triggered  when  calls’  voice  quality 
fell  below  3.0  MOS  but  network  conditions 
were  good  (low  latency  and  low  packet  loss), 
to  isolate  the  more  difficult  problems  on  the 
VoIP  network  that  could  not  be  easily 
explained  by  poor  network  conditions. 

The  tool  also  provides  real-time  audio  and 
video  playback.  Audio  can  be  exported  to  WAV 
sound  files.  Overall,  we  found  that  of  all  the 
products  tested,  Analyzer  offered  the  best  real¬ 
time  voice  and  video  monitoring,  as  well  as 
exemplary  post-capture  analysis  ability. 

We  also  were  impressed  with  the  way  the 
Analyzer  console  upgrades  the  remote 
agents  when  new  software  is  released,  and 
we  liked  that  the  ClearSight  dashboard  can 
combine  trace  files  from  different  segments 
to  allow  for  post-capture  combined  analysis 
of  as  many  as  four  files. 


How  we  did  it 


Vendors  supplied  theirVolP  analysis  and  management  product  on  the  hardware  plat¬ 
form  of  their  choice  for  hands-on  testing  in  Miercom’s  lab  in  New  Jersey.The  test 
network  consisted  of  two  LAN  segments  with  Cisco  Catalyst  3750  10/100/1000 
switches. The  LANs  were  interconnected  via  simulated  T-1  and  DS-3WAN  links.The 
WAN  simulation  was  provided  by  PacketStorm  Communications  1800EWAN  emulation 
product. 

VoIP  calls  were  generated  between  the  two  LAN  segments  using  aWinSIP  call  gen¬ 
erator  and  snom  SIP  phones.  Our  test  bed  was  calibrated  using  third-party  Perceptual 
Evaluation  of  Speech  Quality  instrumentation. 

During  testing,  a  mix  of  calls  with  G.711  and  G.729  codecs  was  placed  between  LAN 
segments.The  products  were  expected  to  identify  the  number  of  calls  and  discern  as 
much  detail  as  possible  about  each  individual  call  via  a  port  configured  for  monitoring 
the  uplink  connection  to  the  WAN.  Latency,  packet  loss  and  jitter  were  then  introduced, 
and  the  products  had  to  measure  the  impairments.  We  expected  that  the  products  would 
be  able  to  discern  the  one  voice  call  that  was  impaired  and  identify  any  other  problems 
with  the  overall  VoIP  communications. 

We  tested  the  tools’  ability  to  detect  and  troubleshoot  two  dozen  converged  network 
problems. The  tests  were  detecting  overall  network  impairments  causing  jitter,  latency 
and  packet  loss  both  at  call-setup  time  and  while  calls  were  in  progress;  slow  SIP  serv¬ 
er  response;  duplicate  addresses  for  registration  and  proxy  servers;  unresponsive  SIP 
registrar  and  proxy;  Real-time  Transport  Control  Protocol  misconfiguration;  excessive 
echo  and  malformed  SIP  call-setup  messages.  Real-time  monitoring  and  alerts  about 
the  specific  anomalies  induced  during  testing  were  noted  while  testing  was  in  progress. 
When  testing  was  complete,  the  products  were  required  to  produce  automated 


reports  based  on  the  calls  and  other  activities  that  transpired  during  the  testing.  We 
evaluated  these  reports'  accuracy,  clarity  and  completeness. 


Analyzer  has  the  noteworthy  ability  to  distin¬ 
guish  39  VoIP-specific  events  including  transac¬ 
tions  define  in  H.323,  RTF  SCCP  MGCP  and 
Megaco,  as  well  as  general  events  such  as  SIP 
call  setup, SIP  call  failure,  client  or  server  errors, 
call-setup  time,  release  time,  MOS,  R-factor, 
Media  Delivery  Index  (MDI)  delay  factor,  MDI 
media-loss  rate  and  video  quality  During  test¬ 
ing,  we  encountered  a  problem  with  Analyzer’s 
ability  to  report  jitter  accurately 

We  also  noticed  we  were  getting  some  false 
positives  during  unimpaired  VoIP  calls  where 
the  MOS  and  R-factor  were  abnormally  lower 
than  expected.  While  we  found  Analyzer’s  abil¬ 
ity  to  send  tests  and  create  actions  to  be  very 
elegant,  we  would  have  liked  to  see  ClearSight 
make  it  possible  to  set  up  problem  thresholds 
for  latency,  MOS  and  R-factor  value. 

Overall,  Analyzer  could  clearly  identify  most 
measurable  faults  in  the  network,  whether  a 
low  MOS  score  for  a  call,  excessive  latency  or 
packet  loss.The  lack  of  an  expert  commentator 
limited  its  ability  as  a  troubleshooting  tool, 
however.  ClearSight  said  it  plans  to  include  this 
feature  in  its  next  release. 

Although  reporting  of  short-term  analysis  was 
extensive,  long-term  (beyond  a  month)  trend 
analysis  currently  has  to  be  handled  through 
third-party  products.  ClearSight  has 
announced  that  built-in  trend-analysis  features 
is  on  the  way 

ClearSight  could  enhance  Analyzer’s  ease  of 
use  by  adding  help  buttons  to  the  sub-interface 
popup  screens  and  context-sensitive  help. 


JDSU  provides  flexible,  scalable, 
inexpensive  VoIP  monitoring 

JDSU’s  PVA-1000  VoIP  Capture  Agents  reside 
across  the  network  and  collect  detailed  VoIP 
call  statistics  for  signaling  and  voice-transport 
quality  JDSU’s  unique  approach  —  providing 
unlimited  remote  agents  at  a  bargain  price  of 
$8,000  to  every  user  on  the  network  —  makes 
this  package  both  flexible  and  scalable. 

JDSU’s  agents  —  there  even  is  a  version  that 
can  be  embedded  with  a  user’s  desktop  for 
use  with  a  softphone  —  capture  bad  VoIP  calls 
as  they  happen. This  information  is  combined 
with  data  about  network  jitter  and  packet  loss 
and  plugged  into  company’s  PVA-1000  VoIP 
Analysis  software. 

JDSU  offers  great  interoperability  —  the 
analysis  software  works  with  any  agent  that 
uses  pcap  (a  common  API  for  packet-captur¬ 
ing).  In  other  words,  you  don’t  need  to  use  a 
JDSU  agent  or  monitor  to  capture  the  traffic 
you  wish  to  analyze  with  the  PVA-1000. 

In  testing,  it  was  quite  apparent  that  JDSU’s 
roots  are  in  the  protocol-analysis  market. 
Drilling  down  through  the  displayed  alerts, you 
quickly  land  on  screens  full  of  the  protocol 
statistics  and  packet  decodes  that  you  would 
expect  to  see  from  a  protocol  analyzer. 

We  found  the  PVA-1 000’s  interfaces  and  nav¬ 
igability  to  be  extremely  effective.The  context- 
sensitive  online  help  was  excellent. 

Signaling  trace  diagrams  for  SIR  MGCP  or 
Network-based  Call  Signaling  (NCS),  and 

See  VoIP,  page  42 
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SCCP  are  displayed  clearly  and  in  real  time  on 
the  main  interface  as  specific  calls  are  select¬ 
ed  from  the  continuously  updating  interface. 
By  clicking  on  a  message  in  the  signaling  lad¬ 
der-diagram,  the  troubleshooter  can  obtain 
full  protocol  decode  for  Cisco  SCCPSIPH.323, 
MGCP  or  NCS,  Megaco,  H.248,  and  RTP  or 
RTCP 

The  PVA-1000  identifies  and  evaluates  every 
VoIP  call  by  using  a  capture  file,  a  process  that 
then  allows  IT  personnel  to  select  individual 
calls  for  analysis.  Each  call  can  be  scrutinized 
for  signaling,  jitter  and  packet  loss. 
Additionally  the  software  can  identify  the  RTP 
stream  without  the  presence  of  signaling,  if 
only  a  portion  of  a  call  is  available  in  the  cap¬ 
ture  file.The  system  works  using  a  round-robin 
revolving  capture-buffer,  always  capturing,  just 
in  case  you  want  to  trigger  a  capture  and  catch 
what  already  happened. 

Being  able  to  go  into  a  huge  capture  buffer 

—  to  find  the  call  you  are  looking  for  and  then 
decide  which  component  you  wish  to  analyze 

—  is  an  extremely  impressive  feature.  The 
product  also  assists  you  in  finding  exactly 
what  you  are  looking  for  by  providing  a  link 
from  the  GUI  to  the  information  that  will  iden¬ 
tity  the  call  to  either  its  actual  location  on  the 
network  or  finding  a  portion  of  the  call  within 
the  capture  buffer.  It’s  like  being  able  to  find  a 
needle  in  a  haystack. 

The  PVA-1000  nailed  all  24  network  prob¬ 
lems  we  set  out  for  the  test  systems  to  discov¬ 
er.  It  doesn’t  provide  advice  or  recommenda¬ 
tions  on  what  to  do  once  a  fault  is  identified, 
however,  which  competing  products  do  offer. 

The  PVA-1000  was  very  accurate  in  measur¬ 
ing  real-time  voice  quality  and  network  condi¬ 
tions.  It  was  able  to  isolate  and  report  on  spe¬ 
cific  calls  and  automatically  isolate  and  report 
on  calls  it  found  with  voice  quality  below 
acceptable  thresholds. 

JDSU’s  product  offered  great  voice-quality 
statistics,  including  one  the  company  refers  to 
as“recencyfa  measure  of  how  close  to  the  end 
of  a  call  an  event  came  that  may  have  affected 
voice  quality  This  metric  helps  isolate  faults  in 
troubleshooting  by  providing  the  most  relative 
(by  time)  network  problem  as  it  pertains  to 
the  call. 

The  PVA-1000  provides  stereo  playback  with 
jitter  buffer-emulation  that  allows  replay  of 
entire  conversations,  not  just  one  side  of  a  con¬ 
versation,  in  duplex  mode  for  better  trou¬ 
bleshooting  analysis.  Buffer  emulation  lets  the 
administrator  “experiment”  with  different  jitter 
buffer  settings  when  replaying  traffic,  to  test 
and  prove  configuration  modifications  on  a 
small  scale  before  applying  the  changes  glob¬ 
ally  The  PVA-1000  also  allows  for  easy  transla¬ 
tion  of  the  VoIP  capture  files,  for  all  or  portions 
of  a  call,  to  WAV  files  for  additional  trou¬ 
bleshooting  ability 

The  PVA-1000  can  be  set  to  trigger  and  cap¬ 


ture  on  a  MOS  threshold,  and  it  will  do  this 
monitoring  work  transparently  to  the  user.  It 
did  a  good  job  of  issuing  alerts  in  real  time 
when  there  were  problems  that  needed  atten¬ 
tion. 

The  program  creates  sharp-looking  graphi¬ 
cal  reports  and  pie  and  bar  charts.  Just  about 
any  point  of  interest  is  extensible  and 
chartable  to  your  liking,  and  data  can  be  fil¬ 
tered  and  exported  from  the  tool  in  a  multi¬ 
tude  of  formats. 

The  distribution  of  problems  throughout  an 
individual  call  can  be  displayed  on  graphs, 
and  the  software  provides  moving  audio-play¬ 
back  indicators  that  help  show  how  the  prob¬ 
lems  impaired  audio  quality  Summary-detail 
reports,  fully  formatted  and  ready  for  printing 
or  saving  in  a  number  of  formats,  can  be  made 
for  any  capture  file. 

WildPackets  offers  VoIP  tools  in  the  midst 
of  IP  network  analysis 

We  tested  Version  5.1  of  WildPackets’ flagship 
product,  the  OmniPeek  Enterprise  with  its  dis- 
tributed-data-capture-and-analysis  core  soft¬ 
ware  called  OmniEngine.The  enterprise  pack¬ 
age  —  which  can  collect  data  from  an  unlim¬ 
ited  number  of  OmniEngines  watching  vari¬ 
ous  parts  of  the  network  —  is  the  only 


WildPackets  distribution  that  supports  VoIP 
monitoring  and  analysis. 

WildPacket’s  OmniEngine  Manager  keeps 
tight  remote-control  over  the  distributed 
OmniEngines  and  analyzes  data  from  them 
that  has  been  compressed  and  encrypted  with 
a  proprietary  technique  before  it  is  sent  from 
the  engines  to  the  manager  device. 
Configuring  the  remote  engines  —  to  set  up 
the  initial  traffic  filters  and  start  the  analysis  for 
specific  protocols  or  network  addresses  — 
was  simple. 

To  avoid  sending  unnecessarily  large  files 
over  the  network,  the  OmniManager  requests 


only  those  portions  of  the  data  capture  that 
are  really  needed  for  its  analysis.  In  our  testing, 
the  network  traffic  was  reduced  to  less  than  a 
tenth  of  the  bandwidth  used  by  other  prod¬ 
ucts  accessing  remote-capture  information. 
Even  though  analysis  does  not  require  a  full 
downloading  of  remote  captures,  OmniPeek 
still  allows  the  operator  to  download  the 
entire  capture-file  for  data  archiving  and  full 
offline  access  to  that  backed-up  data  store. 

Although  the  product  did  a  pretty  good  job 
analyzing  VoIP  traffic,  it  still  was  obvious  to  us 
from  the  way  the  GUI  was  organized  that  its 
focus  still  lies  in  watching  other  types  of  traffic. 
In  a  few  cases,  we  had  to  hunt  for  the  analysis 
data  we  were  seeking  among  a  seemingly 
overwhelming  interface  of  other  network  data. 

The  Visual  Expert  interface  is  part  of 
OmniPeek  Enterprise’s  GUI  component,  which 
has  an  effective  “top  talkers”  display  and  pro¬ 
vides  a  very  effective  ladder-diagram  of  con¬ 
versation  transactions  pieced  together  from 
multisegment  analysis  captures.  The  interface 
is  very  customizable  compared  with  similar 
features  in  the  other  products  tested. 

The  ladder  diagram  depicts  the  stages  of  the 
SIP  call-setup,  and  once  the  call  is  connected 
it  superimposes  plots  of  the  voice-quality  R- 
factor  and  jitter  metrics  on  the  screen.  We 


could  clearly  see  when  the  server  was  slow  to 
respond  to  the  connection  request  and  see 
when  voice  quality  degraded  because  of  over¬ 
loaded  network  conditions. 

The  Expert  System  included  in  the 
OmniPeek  GUI  diagnoses  network  problems 
based  on  26  VoIP-specific  events  it  uses  to  trig¬ 
ger  alarms.  Monitored  items  include  SIP  client 
error,  SIP  server  error,  RTP  late  packet  arrival, 
low-MOS  call  quality  low  R-factor,  low  conver¬ 
sational  quality  and  many  others.The  tool  was 
particularly  effective  in  identifying  the  sources 
of  problems  relating  to  media-analysis  and 

See  VoIP,  page  44 


WildPackets’  VoIP  Visual  Expert  interface  provides  event  tracking  with  links  to 
specific  SIP  call  transactions  for  quick  and  effective  analysis. 


42  •  MARCH  10,  2008  •  www.networkworld.com 


LAS  VEGAS  |  APRIL  27-MAY  2,  2008 


DON'T  MISS  THE  LEADING 
BUSINESS  TECHNOLOGY  EVENT 

20,000  ATTENDEES  I  500+  EXHIBITORS  I  200+  SESSIONS 


SEE  ALL  THESE  NEW  AND  EMERGING  TECHNOLOGIES  AT  INTEROP: 


•  Virtualization 

•  Data  Center 

•  IT  Service  Management 

•  Green  IT 

•  IT  Security 

•  Physical  Security 

•  SaaS  and  Cloud  Computing 

•  SOA 


•  Networking  and  Services 

•  Application  Delivery 

•  Storage 

•  UC  &  VoIP 

•  Wireless  and  Mobility 

•  Enterprise  2.0 

•  Open  Source 

•  Offshoring 


Co-located  with: 

CSISH 

SECURITYEXCHANGE 

The  only  security  conference  offering  a 
focused  view  of  enterprise  security 

software2oo8 

The  global  meeting  place  of 
software  leaders 


THE  FUTURE  OF  BUSINESS 
TECHNOLOGY  IS  HERE. 


Only  at  Interop  Las  Vegas,  the  largest  and  most  influential  business 
technology  event,  can  you  see  all  the  latest  technologies  from  all  the 
major  companies  in  one  place. 


Interop  Sponsors: 


Microsoft 

.  NETGEAR* 

CISCO  Connect  with  Innovation "" 


St 

FOUNDRY 

NETWORKS 

The  Powtir  of  Parformnnar" 


NORTEL 


ciTRIX  Alcatel-Lucent 


SECURE  APC 

COMPUTING  vSchncMO.-tWric 


Come  to  Interop  prepared  to  learn,  and  return  to  the  office  with  the 
information  you  need  to  make  your  organization  competitive  and  agile. 


Novell  McAfee 


With  over  500  leading  exhibitors,  Interop  is  your  best  opportunity  to 
see  the  future  of  business  technology. 


|EH  IDA 


Qwest  ' 

Spirit  of  Service' 


Register  today  to  reserve  your  Free  Expo  Pass. 

Enter  priority  code  CMADNL1 3  at  www.interop.com. 

*  Event  is  open  to  trade  participants  only.  A  business  card  demonstrating  industry  involvement  will  be  required  for  entry. 


CMP 


enfer&ays 


ProCurve  Networking 

"'"V- y'  HP  Innovation 


United  Business  Media 


CLEAR  CHOICE  TEST  VOIP  MANAGEMENT 


VoIP 

continued  from  page  42 

voice-quality  assessment  of  calls  in  progress. 

During  our  testing,  OmniPeek  did  a  good  job 
of  alerting  us  to  problems,  such  as  VoIP  device 
disconnections.  Event  notifications  and  alarms 
highlighted  excessive  latency  and  packet  loss 
when  we  induced  them  on  the  network. 
However,  we  encountered  a  problem  during 
one  of  the  tests  when  the  product  could  not 
accurately  report  the  latency  (using  RTCP 
information)  of  the  VoIP  traffic  while  connect¬ 
ed  to  a  mirrored  port  on  the  network.The  other 
tests  we  conducted  ran  well,  with  OmniPeek 
detecting  our  battery  of  network  impairments, 
and  induced  faults  without  much  difficulty 

OmniPeek’s  Expert  System  provided  the  best 
troubleshooting  advice  of  the  products  tested, 
by  clearly  explaining  the  VoIP  events  and  pro¬ 
viding  additional  guidance  and  suggestions 
about  what  to  check  to  correct  the  problem.  Its 
ability  to  report  on  network  jitter  more  accu¬ 
rately  than  some  of  the  other  tools  gave  it  an 
edge  when  we  used  it  to  troubleshoot  and 
identify  degraded  conditions  in  our  simulated 
VoIP  network. 

OmniPeek  can  save  individual  calls  as  raw 
packet  streams  or  as  WAV  files,  and  we  were 
impressed  by  its  ability  to  show  and  replay  full- 
duplex  conversation  playing  both  ways  simul¬ 
taneously.  This  full-duplex  monitoring  and 
replay  potentially  could  provide  better  insight 
when  you’re  troubleshooting  a  problem,  espe¬ 
cially  if  echo  or  excessive  latency  is  a  factor. 

OmniPeek  also  offered  detailed  reporting. We 
generated  a  102-page  Adobe  PDF  document 
about  our  testing  experience,  and  all  pertinent 
transactions  and  problems  were  reported.  Its 
trend  analysis  left  a  little  to  be  desired,  howev¬ 
er.  Page  count  isn’t  everything.  We  would  prefer 
more-distilled  information. 

OmniPeek  has  one  of  the  most  extensive 
sets  of  plug-ins  of  all  the  products  tested. 
They  include  a  Google  Maps  plug-in  that 
integrates  network-topology  maps  with  an 
Internet-downloadable  map  so  you  can  plot 
sites’  locations  by  IP  address;  an  e-mail  and 
instant-messaging  plug-in  that  allows  full- 
conversation  reconstruction  of  messages  “for 
analysis”;  a  SQL  plug-in  that  lets  you  perform 
sequel  queries  against  captured  packets;  and 
SNMP  plug-ins  for  more-extensive  SNMP  trap 
management. 

WildPackets  was  the  only  vendor  to  include  a 
training  video  with  its  product.  It  was  a  good 
source  of  help,  and  adds  significant  value  that 
can  reduce  the  product’s  TCO  and  expedite 
deployment. 

Codima  homes  in  on  troubleshooting 
VoIP  problems 

We  tested  three  tools  in  Codima 
Technologies’ Toolbox  5.1  set:  auto  VoIP  which 
monitors  and  troubleshoots  VoIP  networks; 
Traffic  Simulator,  which  simulates  traffic  and 
generates  stress  tests  for  VoIP  networks;  and 


autoMARa  network-visualization  tool  that  pro¬ 
vides  a  clear  network  layout  of  IP  equipment, 
including  IP  phones,  IP-PBX  equipment  and 
SIP  servers. 

The  system  came  with  excellent  start-up  and 
installation  documents,  and  very  good  techni¬ 
cal  bulletins  that  showed  tips  and  traps  for 
deploying  it.  We  experienced  no  significant 
problems  installing  the  Codima  product  set, 
but  because  the  product  offers  no  installation 
prompts,  IT  personnel  encountering  problems 
are  relegated  to  reading  the  manual. 

The  autoMap  discovery  tool  integrates 
directly  with  Microsoft  Office  Visio, which  does 
not  come  prepackaged  by  Codima,  to  provide 
graphical  topology  maps  and  asset  reports  of 
the  network  layout.  It  has  a  helpful  Historical 
Change  feature  that  automatically  identifies 
topology  changes.  AutoMap  is  an  effective  tool 
for  network  discovery  However,  the  fact  that 
Codima’sVoIP  analysis  capability  relies  on  the 
autoVoIP  discovery  feature  may  limit  trou¬ 
bleshooting  in  some  cases, because  it  sees  only 
VoIP  traffic  flowing  between  discovered 
devices.  For  example,  we  had  trouble  analyzing 
our  SIP  calls  emulated  by  the  test  and  mea¬ 
surement  equipment,  because  the  simulated 
endpoints  would  not  populate  in  Codima’s 
device  map. 

The  autoVoIP  tool  uses  passive  analysis  of 
VoIP  traffic  flows  and  provides  live  views  of  the 
activity  and  related  service-level-agreement 
graphs.  Information  gathered  by  autoVoIP  cen¬ 
ters  on  data  that  feeds  into  QoS  parameters, 
including  delay  packet  loss  and  jitter.  MOS 
scores  and  R-factor  values  are  then  calculated 
automatically  based  on  those  parameters.  SIP 
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server  performance  is  continuously  tracked  for 
response  time  and  error  patterns. 

AutoVoIP  accurately  provided  analysis 
and  troubleshooting  assistance  for  most  of 
the  24  network  problems  and  impairments 
we  induced,  with  the  exception  of  a  few 
tests  that  depended  on  very  stringent  voice- 
quality  thresholds.  AutoVoIP  could  clearly 
assess  voice  quality  and  identify  problem 
calls  during  the  testing,  but  the  accuracy  we 
required  for  the  analysis  in  the  network- 
problems  tests  exceeded  what  we  observed 
the  tool  could  measure,  so  it  did  not  trigger 
all  the  alarms  for  degraded  VoIP  call-quality. 
AutoVoIP’s  MOS  was  0.5  points  off  what  it 
should  have  been  for  the  VoIP  calls  sent 
over  an  impaired  network  when  the  VoIP 
traffic  did  not  use  RTCP  Codima  explained 
that  the  discrepancy  probably  occurred 


because  the  product  uses  RTCP  as  its  first 
choice  to  measure  QoS,  but  falls  back  to 
RTP  analysis  when  RTCP  is  not  available. 

AutoVoIP’s  grid-style  GUI  overview,  referred  to 
as  the  Troubleshooting  Grid,  visually  represents 
the  information  running  across  the  VoIP  net¬ 
work.The  simple  interface  eventually  allowed 
us  to  reach  detailed  statistics  for  specific  calls, 
but  only  after  we  had  to  jump  between 
unlinked  areas  to  get  statistics,  for  example,  on 
network  jitter. We  are  concerned  about  the  seal- 
ability  of  Codima’s  simplistic  front  end  for  very 
large  IP  phone  deployments,  because  you 
would  have  to  scroll  down  to  review  thousands 
of  phone  icons  in  a  larger  network. 

We  also  ran  into  a  few  glitches  in  the  inter¬ 
face.  For  example,  the  highlighted  item  on  the 
navigation  tree  would  not  remain  on  the  item 
of  interest  when  selected.lt  repeatedly  jumped 
back  to  the  script  editor,  a  bug  that  made  it  dif¬ 
ficult  to  keep  track  of  our  whereabouts. 
Codima  acknowledged  this  problem  and 
reported  that  it  is  addressed  in  the  next  soft¬ 
ware  release. 

For  troubleshooting,  autoVoIP  reports  on 
26  VoIP-specific  network  events  and  can 
issue  alerts  on  them  all.  We  found  these  net¬ 
work  events  to  be  accurately  triggered, 
except  for  the  MOS  discrepancy  previously 
mentioned. 

We  liked  the  way  we  could  see  in  real  time 
who  was  calling  whom  —  from  the  calling- 
line-ID  standpoint. We  also  give  a  thumbs-up 
to  the  package’s  Automatic  Correlation 
Engine  (ACE),  which  combines  relevant 
network  functions  and  presents  the  results 
for  easy  problem-solving. 

For  example,  in  one  of  our  tests,  we  caused 
a  slow  initiation  of  a  SIP  call  —  an  annoying 
condition  in  which  you  pick  up  the  phone 
and  can’t  dial  and  connect  immediately. 
The  ACE  observed  and  reported  this  anom¬ 
aly  and  made  the  connection  that  the  con¬ 
dition  could  be  related  to  the  high  call- 
setup  volume  in  progress  during  this  test. 

Codima’s  autoVoIP  was  smart  enough  not 
only  to  tell  us  there  was  a  problem,  but  also, 
by  measuring  other  criteria  intelligently,  to 
suggest  what  the  problem  could  be.  Further, 
this  connection  led  to  suggested  remedies, 
for  example,  that  the  server  might  need  addi¬ 
tional  memory  or  other  resources.  Other 
alerts  would  produce  automatic  correlation 
between  VoIP  impairment  factors,  such  as 
excess  network  packet  loss  causing  a  lower 
voice-quality  MOS  score.  So,  Codima  gets 
kudos  for  providing  excellent  expert  advice 
for  our  troubled  network. 

Reporting  is  also  a  strength  for  Codima  — 
particularly  because  autoVoIP  does  trend 
analysis  and  did  well  at  mapping  and  provid¬ 
ing  a  network-overview  diagram. 

Smithers  is  CEO  of  Miercom  Consulting  and 
Integration  a  technology  integration  and  testing 
firm.  He  can  be  reached  at  rsmith 
ers@miercom.  com 
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opportunity  with  the  ASR  1000. “I’ll  be  consoli¬ 
dating  multiple  7200s  or  7300s  into  a  single 
ASR  chassis”  in  some  larger  points  of  pres¬ 
ence,  says  CTO  Jeff  Young,  whose  organization 
relies  on  hundreds  of  the  older  routers. 

With  the  ASR  1000,  Cisco  is  not  only  rolling 
out  its  next-generation  edge  router  but  attack¬ 
ing  a  sweet  spot  of  Juniper’s  E-series  and 
Redback  Networks’  SmartEdge  systems,  ana¬ 
lysts  say.  While  Cisco  owned  54%  of  the  $1.3 
billion  service-provider  edge-router  market  in 
the  third  quarter  of  2007,  and  dominates  with 
84%  of  the  $4.3  billion  enterprise  router  mar¬ 
ket  —  according  to  Dell’Oro  figures  — 
Juniper  has  chipped  away  steadily  (it  owned 
16%  of  the  carrier  edge-router  market  in  the 
third  quarter). 

“This  is  a  real  blast  at  some  of  their  competi¬ 
tors,”  says  Deb  Mielke,  president  of  Treillage 
Network  Strategies.  “Juniper’s  key  strength 
against  Cisco  was  in  the  edge.  But  this  baby  is 
hot  —  smaller,  more  powerful,  does  a  lot  of 
neat  things.”  Mielke  was  referring  to  some  of 
the  firewall,  deep-packet-inspection  and  ses¬ 
sion  border  control  (SBC)  capabilities  baked 
into  the  ASR  1000  that  competitors,  including 
Juniper,  usually  support  with  additional  prod¬ 
ucts  or  modules. 

Juniper's  reaction 

Juniper  CTO  and  founder  Pradeep  Sindhu 
said  at  his  company’s  analyst  conference  last 
week  that  he  is  much  more  comfortable  talk¬ 
ing  about  his  own  company’s  products  than 
Cisco’s,  but  did  offer  this  general  assessment: 
“In  sharp  contrast  to  what  Juniper  tries  to  do 
—  which  is  to  have  a  single  operating  sys¬ 
tem,  consistent  architecture  —  our  competi¬ 
tion  seems  to  specialize  in  producing  a  new 
operating  system  with  each  product  line. 
And  this  doesn’t  serve  the  customer  well.” 
(Read  a  Q&A  with  Sindhu  at  www.nw 
docfinder.com/3047.) 

There  are  three  models  of  the  ASR  1000:  the 
1002,  which  has  three  port  adapter  slots;  the 
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1004,  with  eight  slots;  and  the  1006,  with  12. 
The  port  adapters  include  two-  and  four-port 
channelized  and  clear-channel  T-3/E-3;  four- 
port  serial  interface;  eight-port  channelized 
T-l/E-1;  four-  and  eight-port  10/100  Ethernet; 
two-,  five-,  eight-  and  10-port  Gigabit  Ethernet; 
one-port  10  Gigabit  Ethernet;  and  two-  and 
four-port  OC-3  packet  over  SONET  (PoS),and 
one-port  OC-12  PoS. 

The  1002  model  has  another  slot  for  a  5G  to 
lOGbps  embedded  services  processor  (ESP), 
as  well  as  an  integrate  route  processor.  The 
1004  model  has  separate  slots  for  a  lOGbps  ESP 

** Juniper’s  key  strength 
against  Cisco  was  in  the 
edge.  But  this  baby  is  hot  — 
smaller,  more  powerful,  does 
a  lot  of  neat  things  ** 

Deb  Mielke 

president  of  Treillage  Network  Strategies 

and  a  route  processor,  and  the  1006  model  has 
two  lOGbps  ESP  slots  and  two  route-processor 
slots  for  hardware  redundancy 

At  5G  to  lOGbps,  the  ASR  1000  fills  a  niche 
between  the  lGbps  7200s  and  the  15Gbps  7600 
series,  which  is  dedicated  to  Ethernet  aggrega¬ 
tion.  In  the  enterprise,  the  ASR  1000  can  be 
used  as  a  headend  to  aggregate  multiple  Cisco 
Integrated  Services  Routers  at  branch  sites;  as 
an  Internet  gateway;  and  as  a  private  WAN 
using  leased  lines  and  dedicated  fiber. 

In  a  service-provider  environment,  the  ASR 
1000  can  function  as  a  broadband-service  pro¬ 
visioning  vehicle  and  as  customer  premises 
equipment  for  a  managed  service  offering. 

The  ESR  which  is  based  on  the  Quan- 
tumFlow  processor,  lets  services,  such  as  net¬ 
work  security  deep-packet  inspection,  firewall, 
QoS,  Network  Based  Application  Recognition, 
broadband  aggregation  and  SBC,  reside  in  soft¬ 
ware  and  not  require  additional  hardware  sup¬ 
port  in  the  form  of  a  service  blade,  Cisco  says. 
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Cisco  says  it  spent  $100  million  to  develop 
QuantumFlow,  which  is  160  times  faster  than 
the  processor  used  in  its  7200-series  router 
line.  QuantumFlow  was  developed  with  tech¬ 
nology  obtained  from  Cisco’s  acquisition  of 
Procket  Networks  in  2004. 

The  processor  is  “just  flat-out  cool,”  says  Steve 
Schuchart,  an  analyst  at  Current  Analysis. 
“They’ve  hit  on  reliability,  security  and  speed. 
They’ve  added  services  to  the  router  —  this  is 
a  nice  addition  to  their  line.” 

The  ASR  1002  also  has  an  integrated 
lOGbps  shared-port  adapter  interface  proces¬ 
sor, while  the  1004  and  1006  models  have  two 
and  three  slots  for  Session  Initiation  Protocol 
modules,  respectively. 

The  ASR  1000  operating  system,  called  IOS 
XE,  is  based  on  IOS  images  common  to  the 
7200  series  routers  but  is  built  on  a  Linux 
kernel.  Cisco  says  this  provides  modularity 
—  in  which  one  component,  of  the  operat¬ 
ing  system  can  be  modified  without  deacti¬ 
vating  the  entire  package  —  and  improved 
resiliency. 

A  key  feature  of  IOS  XE  is  its  support  for  dual 
IOS  images  running  on  a  single  ASR  1002  or 
1004  route  processor  for  software  redundancy 
This  dual  operation  could  be  used  for  backup 
or  upgrading  to  a  different  release. 

The  ASR  1006  does  not  support  IOS  soft¬ 
ware  redundancy  in  a  single  route  proces¬ 
sor  because  each  of  the  two  hardware 
redundant  route  processors  support  one 
IOS  XE  image. 

The  dual  images  also  provide  software  virtu¬ 
alization  to  enable  rapid  provisioning  and 
simultaneous  use  of  a  range  of  services, 
including  firewall,  IPSec  VPNs,  deep-packet 
inspection  and  SBC,  Cisco  says. 

FactSet’s  Young  says  he  does  not  foresee  any 
challenges  or  issues  in  migrating  to  IOS  XE.But 
it  does  require  attention.  “We’re  definitely 
aware  of  the  significant  change  in  architec¬ 
ture,”  he  says.  “But  we’re  more  excited  about 
the  benefits  —  a  lower  device  count,  power 
and  space  savings,  in-service  upgrades  —  than 
we  are  concerned  about  the  differences.There 
is  some  additional  complexity  and  new  cost 
for  me  to  endure,  by  nature  of  the  architecture. 
I  think  Cisco  has  a  pretty  good  track  record  for 
getting  that  kind  of  stuff  right.” 

Cisco  says  the  Cisco  ASR  1000  also  lets  ser¬ 
vice  providers  and  enterprises  reduce  their 
carbon  footprint  by  consolidating  the  service 
of  several  devices  or  appliances  into  a  single 
router.  At  1600  watts,  Cisco  says  an  ASR  1006 
consumes  half  the  wattage  of  a  combined 
WAN-aggregation  router,  VPN  headend,  intru¬ 
sion-prevention  appliance,  firewall  and  IPSec 
security  product,  while  offering  10  times  the 
performance. 

In  a  20-router  deployment,  the  ASR  1006  can 
generate  $170,000  in  power  cost-savings  over 
five  years  compared  with  the  router-headend- 
appliance-firewall  combination,  Cisco  says. 

The  ASR  1000  series  is  expected  to  be  gener¬ 
ally  available  in  April  in  2U,  41)  and  6U  sizes, 
with  prices  starting  at  $35,000.  If 
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Military  insecurity 


Mark  Gibbs 


The  Internet  is  just  shy  of  its  20th  commer¬ 
cial  birthday  Given  that,  and  the  fact  that 
the  Internet  is  based  on  technologies  that 
are  open,  well  documented  and  well  under¬ 
stood,  youd  think  all  serious  enterprises  that 
BACKSPKN  connect  their  e-mail  systems  to  the  Internet 

would  be  capable  of  ensuring  their  security 
and  protecting  their  assets. 

When  I  write  “serious  enterprises”  I’m  thinking 
about  really  big  ones  like,  oh,  say  the  United  States  Air  Force.The  USAF 
is  responsible  for  the  safety  of  millions  of  people,  including  the  presi¬ 
dent  when  he’s  jetting  around  on  Air  Force  One,  and  has  a  budget  of 
billions  of  dollars  to  do  the  job. 

The  following  might  seem  like  a  bit  of  a  digression,  but  stick  with  me, 
we’ll  join  up  the  bits  in  a  moment. 

There  is  a  town  over  in  Jolly  Old  England  called  Mildenhall  in  the 
county  of  Suffolk  where  once  upon  a  time  (March  1997)  a  gentleman 
by  the  name  of  Gary  Sinnott  decided  his  town  needed  a  Web  site. 

Sinnott  created  a  nice  site  that  included  local  news,  pictures  of  the 
town,  the  area’s  history  and  so  on.  All  was  well  in  this  Webified  corner 
of  that  green  and  pleasant  land  until  around  2000  when  milden 
hall.com  started  getting  a  lot  of  incorrectly  addressed  e-mail. 

If  you  take  the  A101  north  out  of  Mildenhall  and  drive  for  roughly  5 
kilometers  (they  are,  after  all,  Europeans)  you  will  arrive  at  the  gates  of 
Mildenhall  Air  Force  Base  which  is  shared  by  both  the  United 
Kingdom  (it’s  actually  RAF  Mildenhall)  and  the  USAF 
Now,  when  you  connect  naive  users  to  the  Internet  and  let  them  use 
email,  what  mistake  do  they  pretty  much  always  make?  Yep,  they 
assume  every  destination  is  in  the  .com  domain.Thus  it  was  that  pee 
pie  both  inside  and  outside  the  military  started  sending  messages  to 


mildenhall.com  rather  than  mildenhall.af.mil. 

Two  problems  came  of  this.  First,  the  sheer  volume  of  email  over¬ 
whelmed  Sinnott  and  his  server,  and  second,  much  of  the  content  was 
nothing  he  ever  wanted  to  see.This  included  (these  are  Sinnott’s 
words):“Spam.  Loads  of  it!  Military  data  —  some  very  interesting  per¬ 
sonal  information  —  some  very  personal.  Some  of  the  worst  multime¬ 
dia  clips  I’ve  ever  seen  or  heard.  [And]  interesting  insights  into  what 
some  Americans  consider  to  be  pornographic.” 

But  the  most  interesting  stuff  in  this  motley  collection  was  military 
data,  which  included  —  and  I  am  not  making  this  up  —  classified  bat¬ 
tlefield  strategies  as  well  as  the  flight  plans  for  Air  Force  One! 

When  Sinnott  told  the  U.S.  military  about  the  misaddressed  mes¬ 
sages  back  in  the  early  “oughts,”  they  were  somewhat  disinterested 
and  carried  on  being  disinterested  for  several  years.  According  to 
The  Register  (www.nwdocfinder.com/3045),  “Officials  advised 
Sinnott  to  block  unrecognizable  addresses  from  his  domain  and  set 
up  an  auto-reply  reminding  people  of  the  address  for  the  official  air 
force  base.”  This,  of  course,  would  not  solve  either  Mr.  Sinnott’s  prob¬ 
lems  or  those  of  the  military. 

Eventually  Sinnott  did  follow  one  piece  of  the  USAFs  otherwise 
rather  useless  advice  — “Get  rid  of  the  domain.”  Sinnott  killed  off  his 
Web  site  (you  can  see  his  final  posting  via  the  Wayback  Machine). 

This  was  a  spectacular  example  of  incompetence  and  complacency 
on  the  part  of  U.S.  military  security  and  all  the  more  worrying  consider¬ 
ing  the  amount  of  money  and  effort  we’re  told  is  being  put  into  nation¬ 
al  defense.  I  wonder  how  many  more  years  will  have  to  pass  before 
military  security  is  at  least  as  good  as  the  average  enterprise? 

Gibbs  is  secure  in  Ventura,  Calif.  Lock  down  your  response  at  back 
spin@gibbs.com. 


In  defense  of  Caller-ID  spoofing 


It’s  not  me  mounting  the  defense,  mind  you. 
However,  I  thought  it  worth  noting  that  a 
pair  of  recent  columns  — “Confessions  of  a 
Caller-ID  spoofer”  and  “Caller-ID  spoofing  burns 
fire  equipment  company” —  generated  signifi¬ 
cant  reader  reaction,  not  all  of  it  in  lockstep 
N  ETB  Si  Z  Z  condemnation  of  the  practice. 

News,  Insights  oddities  T“ms out  that  Caller-ID  spoofing  has  fans  . 

and  not  ony  among  the  criminal,  unscrupulous 

and  desperate:  For  example,  you’re  about  to 
read  pleas  for  understanding  from  an  engineer  who  works  for  an  IP 
PBX  manufacturer,  as  well  as  a  dutiful  father  (his  is  priceless). 

For  those  who  missed  the  initial  items,  the  first  post  concerned  the 
tale  of  a  telecom  industry  veteran  who  used  a  Caller-ID  spoofing  ser¬ 
vice  —  over  and  over  again  —  to  break  through  the  voice  mail  of  a  for¬ 
mer  employer  he  says  owed  him  thousands  in  unpaid  commissions, 
while  the  second  involved  a  small  Maine  company  that  was  put  out  of 
business  for  more  than  24  hours  by  a  spoofing-enabled  credit  con. 

First  we’ll  hear  from  Jeff  Rowley  an  engineer  at  ShoreTel: 

“Two  beneficial  uses  of  Caller-ID  spoofing  that  we  implement  in  the 
ShoreTel  IP-PBX  include  being  able  to  send  a  remote-based  softphone 
user’s  home  telephone  number  when  they  call  91 1  out  a  corporate 
trunk  and,  second,  sending  the  Caller  ID  of  the  original  caller  when 
using  our  Find  Me/Follow  Me  feature. 

The  first  feature  allows  a  home-based  IP  call-center  agent  to  place 
outbound  calls  from  their  PC-based  IP  softphone  and  the  IP-PBX  sys¬ 
tem  sends  their  corporate  caller  ID  out  the  corporate  PRI.  But  when 
they  call  91 1  we  can  send  their  home  telephone  number  instead, 
directing  the  emergency  response  team  to  the  correct  [home]  address. 

The  second  feature  enhances  our  Find  Me/Follow  Me  feature.This 
feature  allows  a  caller  to  ‘press  1  to  have  the  system  find  me.’  While  the 


caller  is  waiting  the  system  places  outbound  calls  to  the  user’s  cell 
phone  (or  home  phone)  but  sends  the  original  caller’s  Caller-ID  so  the 
recipient  knows  who  the  call  is  really  from,  rather  than  just  another  call 
from  the  corporate  office. 

These  beneficial  features  are  not  possible  if  the  carrier  filters  out 
Caller-IDs  that  are  outside  of  the  “proper  range”  of  DIDs. 

I  asked  Rowley  a  few  questions: 

What  about  end-user  control?  Is  there  any  and  could  it  be  abused? 

In  our  system  all  three  of  the  examples  I  mentioned  are  set  by  the 
administrator  —  not  by  the  end  user.  Still  could  be  abused  but  it  would 
have  to  be  a  company-wide  plot. 

How  does  society  allow  the  good  while  eliminating  the  abuses? 

Tough  one,  as  is  all  choices  between  security,  privacy,  freedom,  conve¬ 
nience  and  the  like.  I  would  equate  it  to  allowing  a  consumer  to  being 
able  to  host  their  own  SMTP  mail  server. The  ISP  allows  this  unless 
there  is  abuse  (the  server  turns  into  a  spam-monger)  and  then  Part  25 
gets  turned  off  for  that  connection. . . .  Similarly  Caller-ID  spoofing 
shouldn’t  be  automatically  assumed  to  be  bad  or  abusive  but  looked  at 
more  in  an  “abuse  it  and  you  lose  it”  fashion. 

Now  we  get  to  that  dutiful  Dad,  one  Mitch  Crane  from  Bethlehem, 
Ga.,who  writes: 

“I  have  to  confess,  I,  too,  am  a  Caller-ID  spoofer. You  see,  I  have  two 
teenage  daughters  who  have  uncanny  luck  with  their  phone  service:  It 
goes  out  when  they  don’t  want  to  hear  from  a  parent.  1  just  randomly 
pick  one  of  their  friends’  numbers,  spoof  it  and  I  miraculously  get 
through. ...  I’m  sure  they  too  think  the  practice  is  evil  and  should  be 
outlawed.” 

Wonder  how  many  times  you’d  have  to  do  that  before  the  kids  would 
just  give  up  and  answer  when  mom  or  dad  calls. 

No  hiding  here.  The  address  is  buzz@nww.com. 
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How  to  Protect  and  Improve  System  Performance 

The  Top  Ten  Points  to  Know  about  Fragmentation 


I  professionals  are  heroes  of  the  workplace.  Whether  with  cunning 
wit  or  a  Phillip's  head  screwdriver,  they  solve  most  any  computer 
emergency.  However,  keeping  a  computer  running  at  top  speed 
is  usually  preventative  maintenance  instead  of  last-minute,  adrenaline- 
surging,  virus-vaccinating  heroics. 


Here  are  10  key  points  to  maintain  peak 
performance  across  any  network: 

1.  The  hard-disk  is  the  slowest  part  of  any 
system. 

Say  you  are  operating  a  2 . 5  GHz  processor. 
That’s  2.5  billion  operations  every  second. 

A  large  number  of 
hard  disks  only  spin 
at  7200  rotations  per 
minute,  or  120  cycles 
per  second,  or  120 
Hz.  This  means  your 
CPU  is  more  than  20 
million  times  faster 
than  the  hard  disk.  The  hard  disk  stillhas  me¬ 
chanical  components.  Think  Terminator  2®, 
when  a  mechanized  Schwarzenegger  is 
outclassed  by  the  faster,  smarter  T-1000. 
When  the  slowest  part  of  your  computer  is 
making  unnecessary  reads,  the  entire  sys¬ 
tem  is  dragged  down. 

2.  Fragmentation  has  severe  effects. 

It’s  more  than  sluggish  and  crawling 
computer  speeds;  fragmentation  leads 
to  crashes,  hangs,  data  errors,  file 
corruption  and  boot-time  failures.  Files  that 
suffer  fragmentation  are  more  difficult  and 
take  longer  to  back  up.  When  systems  are 
thoroughly  defragmented,  they  run  faster 
and  more  reliably — period. 

3.  Real-time  defragmentation  is  necessary. 

Many  companies  rely  on  24/7,  mission- 
critical  servers.  Taking 
these  systems  offline 
for  maintenance  is 
not  an  option.  But, 
having  a  server  with 
I/O  bottlenecks  is 
also  not  an  option. 
Only  real-time,  in¬ 
visible  defragmentation  fixes  this  catch- 
22  situation. 

4.  Give  your  systems  faster-than-new  speeds. 

NTFS  best-fit  attempts  for  file  placement 
on  hard  drives  are  limited.  Diskeeper®  2008 
comes  with  a  new  technology  called 
I-FAAST™  (Intelligent  File  Access  Ac¬ 
celeration  Sequencing  Technology)1  that 
re-sequences  your  files.  So,  in  addition 
to  consolidating  free  space,  defragment¬ 
ing  with  Diskeeper  boosts  access  to  your 


most  frequently  used  files  by  as  much  as 
80%.  I-FAAST  gives  systems  faster-than- 
new  speeds. 

5.  Servers  are  especially  susceptible. 

While  disk  striping  improves  physical 
I/O  capacity  and  per¬ 
formance,  RAID  and 
SAN  systems  simply 
do  not  fix  fragmenta¬ 
tion  where  it  begins — 
at  the  file  system. 
Enormous  volumes 
with  heavy  read/ 
write  activity  lead  to  astronomical  fragmen¬ 
tation  rates,  making  RAID  and  SAN  work 
harder  than  they  should.  The  efficiency 
of  RAID  and  SAN  may  lessen  some  of 
the  physical  effects  of  fragmentation,  but 


fragmentation  is  never  eliminated.  You’ll 
need  to  buy  more  and  more  equipment  to 
compensate.  Sooner  or  later,  the  tortoise 
catches  the  hare,  and  your  system  suffers 
I/O  bottlenecks  and  slow  server  speeds. 

6.  Operate  without  interrupting  productivity. 

T he  new  InvisiTasking™  technology  makes 
software  transparent.  Diskeeper  2008 
with  InvisiTasking  will  work  invisibly  in 
the  background;  only  using  untapped  re¬ 
sources.  Systems  are  continually  improved 
without  any  management  or  impact  on  a 
system’s  usability. 

7.  Defragment  despite  minimal  free  space. 

The  purpose  of  defragmentation  is  to 
restore  lost  speed  and  performance.  A 
defrag  engine  must  be  able  to  operate  in 
limited  free  space,  because  drives  with 
extremely  limited  free  space  are  the  ones 
in  need  of  the  most  help.  Diskeeper  2008 
handles  millions  of  fragments  and  can 
function  with  as  little  as  1%  free  space. 

8.  Stop  fragmentation  before  it  happens. 

Diskeeper  2008  comes  with  Frag  Shield™ 
2.0,  a  technology  that  automatically  defends 
against  fragmentation  of  critical  system  files. 


Frag  Shield  2.0  prevents  crash-inducing  frag¬ 
mentation.  It’s  like  Superman®  saving  the 
day — two  days  before  there’s  a  problem. 

9.  Auto-defrag  breathes  life  into  systems. 

It  keeps  systems  at  optimum  speeds 
and  eliminates  fragmentation-related 
performance  issues.  Thoroughly  defragging 
systems  adds  2-3  years  onto  the  hardware’s 
useful  life.2 

10.  Analyze  your  network's  performance. 

Poor  performance  on  a  remote  system  can 
easily  be  mistaken  for  a  slow  network.  Get 
Disk  Performance  Analyzer  for  Networks™. 
This  free  utility  scans  networked  systems 
for  fragmentation.  See  for  yourself  how 
fragmentation  is  affecting  your  systems. 
This  groundbreaking  program  will  provide 
comprehensive  reports  on  how  system 
speeds  will  improve  with  thorough  defrag¬ 
mentation.  Visit  www.diskeeper.com/nwll 
and  get  this  free,  must-have  utility. 

Diskeeper  2008  is  the  only  fully- 
automated  defragmentation  program.  It 
operates  invisibly  in  the  background  and  it 


dynamically  adapts  defragmentation  strate¬ 
gies  to  fit  the  needs  of  individual  volumes. 
With  new  defrag  engines,  Diskeeper  2008 
restores  performance  on  volumes  with  as 
little  as  1%  free  space.  Get  rid  of  slows, 
bottlenecks,  and  fragmentation-induced 
crashes.  Visit  www.diskeeper.com/nw9 

1  Available  on  Pro  Premier,  Server  and  EnterpriseServer  editions. 

2  See  white  paper  at  www.diskeeper.com/nwpaper1 
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with  InvisiTasking m 

Diskeeper 

Maximizing  Performance  and  Reliability — Automatically 

Try  it  FREE  for  45  days! 

Download  a  free  trial  at 

www.diskeeper.com/nw9 

(Note:  Special  45 -day  trialware  is 
only  available  at  the  above  link) 

Volume  licensing  and  Government/Education  discounts  are 
available  by  calling  800-829-6468,  extension  4415. 


When  systems  are  thoroughly  defragmented, 
they  run  faster  and  more  reliably — period. 
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»  Troubled  by  evolving  network  threats?  As  you  open  up  the  network  to  more  users 
and  deploy  newer  apps  and  business  initiatives,  your  security  should  keep  pace.  Only 
Juniper  Networks  gives  you  unprecedented  protection  from  attacks  while  providing 
visibility  across  the  network.  So  defend  against  application-layer  threats  and  minimize 
downtime.  Deliver  valuable  assets  to  a  wider  base  of  users.  Adhere  to  regulatory 
compliance  requirements. 

Juniper’s  broad  security  portfolio  lets  you  leverage  the  network  in  new  ways,  to  achieve 
greater  business  goals.  The  switch  is  on  to  Juniper  Networks:  www.juniper.net/secure 
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